Merge pull request #2355 from cldrn/AspNetMaxRequestLength

CodeQL query to check for insecure MaxLengthRequest values in ASP.NET applications

Author: hvitved

csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.qhelp

@@ -0,0 +1,47 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>
+      The <code>maxRequestLength</code> attribute sets the limit for the input
+      stream buffering threshold in KB. Attackers can use large requests to cause
+      denial-of-service attacks.
+    </p>
+  </overview>
+  <recommendation>
+
+    <p>
+      The recommended value is 4096 KB but you should try setting it as
+      small as possible according to business requirements.
+    </p>
+
+  </recommendation>
+  <example>
+
+    <p>
+      The following example shows the <code>maxRequestLength</code>
+      attribute set to a high value (255 MB) in a <code>Web.config</code>
+      file for ASP.NET:
+    </p>
+
+    <sample src="Web.config.ASPNetMaxRequestLength.bad" />
+
+    <p>
+      Unless such a high value is strictly needed, it is better to set
+      the recommended value (4096 KB):
+    </p>
+
+    <sample src="Web.config.ASPNetMaxRequestLength.good" />
+
+  </example>
+
+  <references>
+
+    <li>
+      MSDN:
+      <a href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.maxrequestlength?view=netframework-4.8">HttpRuntimeSection.MaxRequestLength Property</a>.
+    </li>
+  </references>
+</qhelp>

csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Large 'maxRequestLength' value
+ * @description Setting a large 'maxRequestLength' value may render a webpage vulnerable to
+ *              denial-of-service attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @id cs/web/large-max-request-length
+ * @tags security
+ *       frameworks/asp.net
+ *       external/cwe/cwe-16
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+
+from SystemWebXMLElement web, XMLAttribute maxReqLength
+where
+  maxReqLength = web
+        .getAChild(any(string s | s.toLowerCase() = "httpruntime"))
+        .getAttribute(any(string s | s.toLowerCase() = "maxrequestlength")) and
+  maxReqLength.getValue().toInt() > 4096
+select maxReqLength, "Large 'maxRequestLength' value (" + maxReqLength.getValue() + " KB)."

csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetMaxRequestLength.bad

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpRuntime maxRequestLength="255000" />
+  </system.web>
+</configuration>

csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetMaxRequestLength.good

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpRuntime maxRequestLength="4096" />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength.cs

@@ -0,0 +1,5 @@
+// Dummy class for extraction purposes
+public class ASPNetMaxRequestLengthDummyClass
+{
+
+}

csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength.expected

@@ -0,0 +1 @@
+| bad/Web.config:4:5:4:46 | maxRequestLength=262144 | Large 'maxRequestLength' value (262144 KB). |

csharp/ql/test/query-tests/Security Features/CWE-016/ASPNetMaxRequestLength.qlref

@@ -0,0 +1 @@
+Security Features/CWE-016/ASPNetMaxRequestLength.ql

csharp/ql/test/query-tests/Security Features/CWE-016/Web.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpRuntime maxRequestLength="4096" />
+  </system.web>
+</configuration>

csharp/ql/test/query-tests/Security Features/CWE-016/bad/Web.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpRuntime maxRequestLength="262144" />
+  </system.web>
+</configuration>