Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5693

Allowing requests with excessive content length is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure the content length limit is safe here.
    • List of parameters:
      Hide
      • Key: fileUploadSizeLimit
      • Description: The maximum size of HTTP requests handling file uploads (in bytes)
      • Default value: 8000000
      • Type: integer
      • Key: standardSizeLimit
      • Description: The maximum size of regular HTTP requests (in bytes)
      • Default value: 2000000
      • Type: integer
      Show
      Key: fileUploadSizeLimit Description: The maximum size of HTTP requests handling file uploads (in bytes) Default value: 8000000 Type: integer Key: standardSizeLimit Description: The maximum size of regular HTTP requests (in bytes) Default value: 2000000 Type: integer
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Linear
    • Linear Argument Description:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources, Test Sources
    • CWE:
      CWE-400, CWE-770
    • OWASP:
      A6

      Description

      Rejecting requests with significant content length is a good practice to control the network traffic intensity and thus resource consumption in order to prevents DoS attacks.

      Ask Yourself Whether

      • size limits are not defined for the different resources of the web application.
      • the web application is not protected by rate limiting features.
      • the web application infrastructure has limited resources.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • For most of the features of an application, it is recommended to limit the size of requests to:
        • lower or equal to 8mb for file uploads.
        • lower or equal to 2mb for other requests.

      It is recommended to customize the rule with the limit values that correspond to the web application.

      See

        Attachments

        1.
        JavaScript RSPEC-5694 Language-Specification Active Unassigned

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eric.therond Eric Therond
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: