Fix MaxRequestBodySize in IIS (#25096)

jkotalik · Tratcher · web-flow · commit 6333040b5a08 · 2020-08-25T09:12:58.000-07:00
* Fix MaxRequestBodySize

* Apply suggestions from code review

Co-authored-by: Chris Ross &lt;Tratcher@Outlook.com&gt;

* Update test

* Keep IIS limit default and update API comment

* Update tests

Co-authored-by: Chris Ross &lt;Tratcher@Outlook.com&gt;
diff --git a/src/Servers/IIS/IIS/src/Core/IISConfigurationData.cs b/src/Servers/IIS/IIS/src/Core/IISConfigurationData.cs
@@ -19,6 +19,6 @@ internal struct IISConfigurationData
         public bool fAnonymousAuthEnable;
         [MarshalAs(UnmanagedType.BStr)]
         public string pwzBindings;
-        public int maxRequestBodySize;
+        public uint maxRequestBodySize;
     }
 }
diff --git a/src/Servers/IIS/IIS/src/Core/IISHttpContextOfT.cs b/src/Servers/IIS/IIS/src/Core/IISHttpContextOfT.cs
@@ -3,8 +3,6 @@
 
 using System;
 using System.Buffers;
-using System.Text;
-using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting.Server;
diff --git a/src/Servers/IIS/IIS/src/IISServerOptions.cs b/src/Servers/IIS/IIS/src/IISServerOptions.cs
@@ -42,16 +42,17 @@ public class IISServerOptions
         // https://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits#005
         private long? _maxRequestBodySize = 30000000;
 
-        internal long IisMaxRequestSizeLimit;
+        internal long IisMaxRequestSizeLimit; // Used for verifying if limit set in managed exceeds native 
 
         /// <summary>
         /// Gets or sets the maximum allowed size of any request body in bytes.
-        /// When set to null, the maximum request body size is unlimited.
+        /// When set to null, the maximum request length will not be restricted in ASP.NET Core.
+        /// However, the IIS maxAllowedContentLength will still restrict content length requests (30,000,000 by default).
         /// This limit has no effect on upgraded connections which are always unlimited.
         /// This can be overridden per-request via <see cref="IHttpMaxRequestBodySizeFeature"/>.
         /// </summary>
         /// <remarks>
-        /// Defaults to null (unlimited).
+        /// Defaults to 30,000,000 bytes (~28.6 MB).
         /// </remarks>
         public long? MaxRequestBodySize
         {
diff --git a/src/Servers/IIS/IIS/src/WebHostBuilderIISExtensions.cs b/src/Servers/IIS/IIS/src/WebHostBuilderIISExtensions.cs
@@ -49,6 +49,7 @@ public static IWebHostBuilder UseIIS(this IWebHostBuilder hostBuilder)
                             options => {
                                 options.ServerAddresses = iisConfigData.pwzBindings.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
                                 options.ForwardWindowsAuthentication = iisConfigData.fWindowsAuthEnabled || iisConfigData.fBasicAuthEnabled;
+                                options.MaxRequestBodySize = iisConfigData.maxRequestBodySize;
                                 options.IisMaxRequestSizeLimit = iisConfigData.maxRequestBodySize;
                             }
                         );
diff --git a/src/Servers/IIS/IIS/test/Common.FunctionalTests/Inprocess/MaxRequestBodySizeTests.cs b/src/Servers/IIS/IIS/test/Common.FunctionalTests/Inprocess/MaxRequestBodySizeTests.cs
@@ -54,6 +54,46 @@ public async Task SetIISLimitMaxRequestBodySizeE2EWorks()
             Assert.True(result.StatusCode == HttpStatusCode.NotFound || result.StatusCode == HttpStatusCode.RequestEntityTooLarge);
         }
 
+        [ConditionalFact]
+        [RequiresNewHandler]
+        public async Task SetIISLimitMaxRequestBodySizeE2EWorksWithLargerLimit()
+        {
+            var deploymentParameters = Fixture.GetBaseDeploymentParameters();
+            deploymentParameters.ServerConfigActionList.Add(
+                (config, _) => {
+                    config
+                        .RequiredElement("system.webServer")
+                        .GetOrAdd("security")
+                        .GetOrAdd("requestFiltering")
+                        .GetOrAdd("requestLimits", "maxAllowedContentLength", "100000000");
+                });
+            var deploymentResult = await DeployAsync(deploymentParameters);
+
+            var result = await deploymentResult.HttpClient.PostAsync("/ReadRequestBodyLarger", new StringContent(new string('a', 100000000)));
+
+            Assert.Equal(HttpStatusCode.OK, result.StatusCode);
+        }
+
+        [ConditionalFact]
+        [RequiresNewHandler]
+        public async Task SetIISLimitMaxRequestBodySizeE2EWorksWithIntMaxValue()
+        {
+            var deploymentParameters = Fixture.GetBaseDeploymentParameters();
+            deploymentParameters.ServerConfigActionList.Add(
+                (config, _) => {
+                    config
+                        .RequiredElement("system.webServer")
+                        .GetOrAdd("security")
+                        .GetOrAdd("requestFiltering")
+                        .GetOrAdd("requestLimits", "maxAllowedContentLength", "4294967295");
+                });
+            var deploymentResult = await DeployAsync(deploymentParameters);
+
+            var result = await deploymentResult.HttpClient.PostAsync("/ReadRequestBodyLarger", new StringContent(new string('a', 10000)));
+
+            Assert.Equal(HttpStatusCode.OK, result.StatusCode);
+        }
+
         [ConditionalFact]
         [RequiresNewHandler]
         public async Task IISRejectsContentLengthTooLargeByDefault()
@@ -94,7 +134,7 @@ public async Task SetIISLimitMaxRequestBodyLogsWarning()
                 });
             var deploymentResult = await DeployAsync(deploymentParameters);
 
-            var result = await deploymentResult.HttpClient.PostAsync("/DecreaseRequestLimit", new StringContent("1"));
+            var result = await deploymentResult.HttpClient.PostAsync("/IncreaseRequestLimit", new StringContent("1"));
             Assert.Equal(HttpStatusCode.OK, result.StatusCode);
 
             StopServer();
diff --git a/src/Servers/IIS/IIS/test/testassets/InProcessWebSite/Startup.cs b/src/Servers/IIS/IIS/test/testassets/InProcessWebSite/Startup.cs
@@ -478,6 +478,16 @@ private async Task ReadRequestBody(HttpContext ctx)
             }
         }
 
+        private async Task ReadRequestBodyLarger(HttpContext ctx)
+        {
+            var readBuffer = new byte[4096];
+            var result = await ctx.Request.Body.ReadAsync(readBuffer, 0, 4096);
+            while (result != 0)
+            {
+                result = await ctx.Request.Body.ReadAsync(readBuffer, 0, 4096);
+            }
+        }
+
         private int _requestsInFlight = 0;
         private async Task ReadAndCountRequestBody(HttpContext ctx)
         {
@@ -1444,6 +1454,13 @@ public async Task Reset_CompleteAsyncDuringRequestBody_Resets(HttpContext httpCo
             await Assert.ThrowsAsync<IOException>(() => readTask);
         }
 
+        public Task IncreaseRequestLimit(HttpContext httpContext)
+        {
+            var maxRequestBodySizeFeature = httpContext.Features.Get<IHttpMaxRequestBodySizeFeature>();
+            maxRequestBodySizeFeature.MaxRequestBodySize = 2;
+            return Task.CompletedTask;
+        }
+
         internal static readonly HashSet<(string, StringValues, StringValues)> NullTrailers = new HashSet<(string, StringValues, StringValues)>()
         {
             ("NullString", (string)null, (string)null),

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,6 @@ internal struct IISConfigurationData`
`19`	`19`	`public bool fAnonymousAuthEnable;`
`20`	`20`	`[MarshalAs(UnmanagedType.BStr)]`
`21`	`21`	`public string pwzBindings;`
`22`		`- public int maxRequestBodySize;`
	`22`	`+ public uint maxRequestBodySize;`
`23`	`23`	`}`
`24`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ public static IWebHostBuilder UseIIS(this IWebHostBuilder hostBuilder)`
`49`	`49`	`options => {`
`50`	`50`	`options.ServerAddresses = iisConfigData.pwzBindings.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);`
`51`	`51`	`options.ForwardWindowsAuthentication = iisConfigData.fWindowsAuthEnabled \|\| iisConfigData.fBasicAuthEnabled;`
	`52`	`+ options.MaxRequestBodySize = iisConfigData.maxRequestBodySize;`
`52`	`53`	`options.IisMaxRequestSizeLimit = iisConfigData.maxRequestBodySize;`
`53`	`54`	`}`
`54`	`55`	`);`
Original file line number	Diff line number	Diff line change
`@@ -478,6 +478,16 @@ private async Task ReadRequestBody(HttpContext ctx)`
`478`	`478`	`}`
`479`	`479`	`}`
`480`	`480`
	`481`	`+ private async Task ReadRequestBodyLarger(HttpContext ctx)`
	`482`	`+ {`
	`483`	`+ var readBuffer = new byte[4096];`
	`484`	`+ var result = await ctx.Request.Body.ReadAsync(readBuffer, 0, 4096);`
	`485`	`+ while (result != 0)`
	`486`	`+ {`
	`487`	`+ result = await ctx.Request.Body.ReadAsync(readBuffer, 0, 4096);`
	`488`	`+ }`
	`489`	`+ }`
	`490`	`+`
`481`	`491`	`private int _requestsInFlight = 0;`
`482`	`492`	`private async Task ReadAndCountRequestBody(HttpContext ctx)`
`483`	`493`	`{`
`@@ -1444,6 +1454,13 @@ public async Task Reset_CompleteAsyncDuringRequestBody_Resets(HttpContext httpCo`
`1444`	`1454`	`await Assert.ThrowsAsync<IOException>(() => readTask);`
`1445`	`1455`	`}`
`1446`	`1456`
	`1457`	`+ public Task IncreaseRequestLimit(HttpContext httpContext)`
	`1458`	`+ {`
	`1459`	`+ var maxRequestBodySizeFeature = httpContext.Features.Get<IHttpMaxRequestBodySizeFeature>();`
	`1460`	`+ maxRequestBodySizeFeature.MaxRequestBodySize = 2;`
	`1461`	`+ return Task.CompletedTask;`
	`1462`	`+ }`
	`1463`	`+`
`1447`	`1464`	`internal static readonly HashSet<(string, StringValues, StringValues)> NullTrailers = new HashSet<(string, StringValues, StringValues)>()`
`1448`	`1465`	`{`
`1449`	`1466`	`("NullString", (string)null, (string)null),`