Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Analyzer] Prefer HttpRequest.ReadFormAsync over HttpRequest.Form #47460

Open
3 of 15 tasks
JamesNK opened this issue Mar 28, 2023 · 2 comments
Open
3 of 15 tasks

[Analyzer] Prefer HttpRequest.ReadFormAsync over HttpRequest.Form #47460

JamesNK opened this issue Mar 28, 2023 · 2 comments
Labels
analyzer Indicates an issue which is related to analyzer experience api-suggestion Early API idea and discussion, it is NOT ready for implementation area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates
Milestone
Backlog

Comments

@JamesNK
Copy link
Member

JamesNK commented Mar 28, 2023
edited

Background and Motivation

HttpRequest.Form is a blocking API (it reads the request body which may not be available yet). Using it can cause thread exhaustion and server throughput problems.

HttpRequest.Form is confusing to people as similar APIs such HttpRequest.QueryString, HttpRequest.Cookies, HttpRequest.Headers, etc, are safe to use.

Proposed Analyzer

Analyzer Behavior and Message

Using HttpRequest.Form should generate a warning. There are some cases where it is safe to use, so we need to figure out how broad to make the warning.

One option could be:

  • API used inside an async method = warning
  • API used inside a sync method = info

See discussion at #44390 (comment) for more info.

Category

  • Design
  • Documentation
  • Globalization
  • Interoperability
  • Maintainability
  • Naming
  • Performance
  • Reliability
  • Security
  • Style
  • Usage

Severity Level

  • Error
  • Warning (async method?)
  • Info (sync method?)
  • Hidden

Usage Scenarios

public Task<Result> SaveProduct()
{
    var productName = Request.Form["product_name"]; // WARNING HERE
    _repository.Add(new Product { Name = productName });
    await _repository.SaveAsync();
    return SuccessResult();
}

Risks

HttpRequest.Form is safe if the form has already been loaded. People who know and rely on that behavior and like the terseness of HttpRequest.Form would be impacted. They could either suppress the analyzer or assign the form to a local variable:

public Task<Result> SaveProduct()
{
    var form = Request.ReadFormAsync();
    var productName = form["product_name"];
    var productPrice = form["product_price"];
    // etc
}
@JamesNK JamesNK added api-suggestion Early API idea and discussion, it is NOT ready for implementation analyzer Indicates an issue which is related to analyzer experience area-web-frameworks labels Mar 28, 2023
@JamesNK JamesNK mentioned this issue Mar 28, 2023
Closed
1 task
@Tratcher
Copy link
Member

HttpRequest.Form is safe if the form has already been loaded. People who know and rely on that behavior and like the terseness of HttpRequest.Form would be impacted.

This is why we haven't attempted this in the past. I don't think an analyzer can reliably detect when Form is safe or not.

Alternative: Change the runtime behavior instead so Form throws instead of doing unsafe sync over async. Include an appcontext switch for back-compat. There should be a property/method you can call to see if the form was read to avoid the exception.

@captainsafia captainsafia added area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc and removed area-web-frameworks labels Jun 20, 2023
@javiercn javiercn added this to the Backlog milestone Jul 10, 2023
@ghost
Copy link

ghost commented Jul 10, 2023

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@wtgodbe wtgodbe removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 6, 2024
@wtgodbe wtgodbe removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Feb 13, 2024
@dotnet dotnet deleted a comment from dotnet-policy-service bot Feb 13, 2024
@dotnet dotnet deleted a comment from dotnet-policy-service bot Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
analyzer Indicates an issue which is related to analyzer experience api-suggestion Early API idea and discussion, it is NOT ready for implementation area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
6 participants
@JamesNK @Tratcher @captainsafia @javiercn @wtgodbe and others