Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix S5693 FP: custom fileUploadSizeLimit parameter ignored when parsing Web.config files #7867

Closed
cristian-ambrosini-sonarsource opened this issue Aug 23, 2023 · 0 comments · Fixed by #8206
Closed

Fix S5693 FP: custom fileUploadSizeLimit parameter ignored when parsing Web.config files #7867

cristian-ambrosini-sonarsource opened this issue Aug 23, 2023 · 0 comments · Fixed by #8206
Assignees
@sebastien-marichal
Labels
Area: C# C# rules related issues. Sprint: Hardening Fix FPs/FNs/improvements Type: False Positive Rule IS triggered when it shouldn't be.
Milestone
9.13

Comments

@cristian-ambrosini-sonarsource
Copy link
Contributor

FP reported on SonarCommunity by Andrew Timson.

This rule has a configurable fileUploadSizeLimit parameter. The code for the rule appears to take the parameter into account when looking at attribute-based upload limits for both request size and request form size, but not when checking the configuration in Web.config; the latter sticks to the hardcoded 8 MB limit for both.

Using SonarQube Community Edition, Version 10.1 (build 73491)

<configuration>
    <system.web>
        <httpRuntime maxRequestLength="25600" />
        <!-- Compliant: maxRequestLength is exprimed in KB, so 25600KB = 25MB  -->
    </system.web>
    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="26214400" />
                <!-- Compliant: maxAllowedContentLength is exprimed in bytes, so 26214400 = 25MB  -->
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

When fileUploadSizeLimit is set to 35000000, the above snippets are still flagged by the rule.
@cristian-ambrosini-sonarsource cristian-ambrosini-sonarsource added Type: False Positive Rule IS triggered when it shouldn't be. Area: C# C# rules related issues. labels Aug 23, 2023
Merged
@costin-zaharia-sonarsource costin-zaharia-sonarsource added the Sprint: Hardening Fix FPs/FNs/improvements label Oct 13, 2023
@sebastien-marichal sebastien-marichal self-assigned this Oct 16, 2023
@sebastien-marichal sebastien-marichal linked a pull request Oct 16, 2023 that will close this issue
Fix FP in S5693 #8206
Merged
@sebastien-marichal sebastien-marichal mentioned this issue Oct 16, 2023
Merged
@sebastien-marichal sebastien-marichal added this to the 9.13 milestone Oct 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sebastien-marichal sebastien-marichal

Labels
Area: C# C# rules related issues. Sprint: Hardening Fix FPs/FNs/improvements Type: False Positive Rule IS triggered when it shouldn't be.
Projects
None yet
Milestone
9.13
Development

Successfully merging a pull request may close this issue.

Fix FP in S5693 SonarSource/sonar-dotnet
3 participants
@costin-zaharia-sonarsource @cristian-ambrosini-sonarsource @sebastien-marichal