Merged PR 21240: [6.0] MSRC 70023 - ASP.Net FormFeature.cs - DenialOfService

# ASP.Net FormFeature.cs - DenialOfService

When parsing multi-part form data with FormFeature.cs, we do not honor ValueCountLimit when the content disposition is of an unknown type. Therefore an attacker could send multi-part form data where very part has invalid content disposition, and make us read indefinitely.

## Description

When parsing multi-part form data with FormFeature.cs, we do not honor ValueCountLimit when the content disposition is of an unknown type. Therefore an attacker could send multi-part form data where very part has invalid content disposition, and make us read indefinitely.

## Customer Impact

Prevents a potential Denial-of-service attack.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [x] Medium
- [ ] Low

We could have missed another potential version of this vulnerability

## Verification

- [x] Manual (required)
- [x] Automated

Added a test, plus confirmed with a local repro that the pre-existing slowdown goes away after the change.

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

----

## When servicing release/2.1

- [ ] Make necessary changes in eng/PatchConfig.props

Author: wtgodbe

src/Http/Http/src/Features/FormFeature.cs

@@ -184,6 +184,7 @@ private async Task<IFormCollection> InnerReadFormAsync(CancellationToken cancell
                 else if (HasMultipartFormContentType(contentType))
                 {
                     var formAccumulator = new KeyValueAccumulator();
+                    var nonFormOrFileContentDispositionCount = 0;
 
                     var boundary = GetBoundary(contentType, _options.MultipartBoundaryLengthLimit);
                     var multipartReader = new MultipartReader(boundary, _request.Body)
@@ -259,7 +260,11 @@ private async Task<IFormCollection> InnerReadFormAsync(CancellationToken cancell
                         }
                         else
                         {
-                            System.Diagnostics.Debug.Assert(false, "Unrecognized content-disposition for this section: " + section.ContentDisposition);
+                            if (nonFormOrFileContentDispositionCount++ >= _options.ValueCountLimit)
+                            {
+                                throw new InvalidDataException($"Unrecognized Content-Disposition. Form value count limit {_options.ValueCountLimit} exceeded.");
+
+                            }
                         }
 
                         section = await multipartReader.ReadNextSectionAsync(cancellationToken);

src/Http/Http/test/Features/FormFeatureTests.cs

@@ -165,6 +165,12 @@ private class MockRequestBodyPipeFeature : IRequestBodyPipeFeature
 InvalidContentDispositionValue +
 "\r\n" +
 "\r\n" +
+"Foo\r\n";
+
+        private const string MultipartFormFileNonFormOrFileContentDispositionValue = "--WebKitFormBoundary5pDRpGheQXaM8k3T\r\n" +
+"Content-Disposition:x" +
+"\r\n" +
+"\r\n" +
 "Foo\r\n";
 
         private const string MultipartFormWithField =
@@ -468,6 +474,30 @@ public async Task ReadFormAsync_ValueCountLimitExceeded_Throw(bool bufferRequest
             Assert.Equal("Form value count limit 2 exceeded.", exception.Message);
         }
 
+        [Theory]
+        [InlineData(true)]
+        [InlineData(false)]
+        public async Task ReadFormAsync_NonFormOrFieldContentDisposition_ValueCountLimitExceeded_Throw(bool bufferRequest)
+        {
+            var formContent = new List<byte>();
+            formContent.AddRange(Encoding.UTF8.GetBytes(MultipartFormFileNonFormOrFileContentDispositionValue));
+            formContent.AddRange(Encoding.UTF8.GetBytes(MultipartFormFileNonFormOrFileContentDispositionValue));
+            formContent.AddRange(Encoding.UTF8.GetBytes(MultipartFormFileNonFormOrFileContentDispositionValue));
+            formContent.AddRange(Encoding.UTF8.GetBytes(MultipartFormEnd));
+
+            var context = new DefaultHttpContext();
+            var responseFeature = new FakeResponseFeature();
+            context.Features.Set<IHttpResponseFeature>(responseFeature);
+            context.Request.ContentType = MultipartContentType;
+            context.Request.Body = new NonSeekableReadStream(formContent.ToArray());
+
+            IFormFeature formFeature = new FormFeature(context.Request, new FormOptions() { BufferBody = bufferRequest, ValueCountLimit = 2 });
+            context.Features.Set<IFormFeature>(formFeature);
+
+            var exception = await Assert.ThrowsAsync<InvalidDataException>(() => context.Request.ReadFormAsync());
+            Assert.Equal("Unrecognized Content-Disposition. Form value count limit 2 exceeded.", exception.Message);
+        }
+
         [Theory]
         [InlineData(true)]
         [InlineData(false)]