Adds check for insecure MaxLengthRequest values

cldrn · cldrn · commit 56c12adab7e5 · 2019-11-16T14:21:39.000-05:00
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.qhelp b/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.qhelp
@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+	<overview>
+		<p>
+			The
+			<code>maxRequestLength</code>
+			attribute sets the limit for the input stream buffering
+			threshold in KB. Attackers can use large requests to cause denial-of-service
+			attacks.
+		</p>
+	</overview>
+	<recommendation>
+
+		<p>
+			The recommended value is 4096 KB but you should try setting it as small
+			as possible according
+			to business requirements.
+		</p>
+
+	</recommendation>
+	<example>
+
+		<p>
+			The following example shows the
+			<code>maxRequestLength</code>
+			attribute set to a high value
+			(255 MB) in a
+			<code>Web.config</code>
+			file for ASP.NET:
+		</p>
+
+		<sample src="Web.config.ASPNetMaxRequestLength.bad" />
+
+		<p>
+			Unless such a high value is strictly needed, it is better to set the
+			recommended value (4096 KB):
+		</p>
+
+		<sample src="Web.config.ASPNetMaxRequestLength.good" />
+
+	</example>
+
+	<references>
+
+		<li>
+			.NET API:
+			<a
+				href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.maxrequestlength?view=netframework-4.8">MaxRequestLength limit to prevent denial of service attacks</a>
+			.
+		</li>
+	</references>
+</qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Large maxRequestLength value
+ * @description Setting a large 'maxRequestLength' value may render a webpage vulnerable to
+ *              denial-of-service attacks.
+ * @kind problem
+ * @problem.severity warning
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+
+from SystemWebXMLElement web, XMLAttribute maxReqLength
+where
+  maxReqLength = web
+        .getAChild(any(string s | s.toLowerCase() = "httpruntime"))
+        .getAttribute(any(string s | s.toLowerCase() = "maxrequestlength")) and
+  maxReqLength.getValue().toInt() > 4096
+select maxReqLength, "Large 'maxRequestLength' value (" + maxReqLength.getValue() + " KB)."
diff --git a/csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetMaxRequestLength.bad b/csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetMaxRequestLength.bad
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpRuntime maxRequestLength="255000" />
+  </system.web>
+</configuration>
diff --git a/csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetMaxRequestLength.good b/csharp/ql/src/Security Features/CWE-016/Web.config.ASPNetMaxRequestLength.good
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+    <httpRuntime maxRequestLength="4096" />
+  </system.web>
+</configuration>
