Place limits on model binding collection size and recursion depth (do…

…tnet#7214) - dotnet#7052 - add MvcOptions.MaxModelBindingCollectionSize` and `MvcOptions.MaxModelBindingRecursionDepth` nits: - update syntax of a few `Resources.Designer.cs` files (I ran `/t:resx` on Mvc.sln) - take VS suggestions in a few test classes
diogoxluis · Feb 19, 2019 · 3e0c751 · 3e0c751
1 parent 69abefa
commit 3e0c751
Show file tree

Hide file tree

Showing 21 changed files with 836 additions and 114 deletions.
diff --git a/src/Hosting/Hosting/src/Properties/Resources.Designer.cs b/src/Hosting/Hosting/src/Properties/Resources.Designer.cs
diff --git a/src/Middleware/Localization/src/Properties/Resources.Designer.cs b/src/Middleware/Localization/src/Properties/Resources.Designer.cs
diff --git a/src/Middleware/Session/src/Properties/Resources.Designer.cs b/src/Middleware/Session/src/Properties/Resources.Designer.cs
diff --git a/src/Mvc/Mvc.ApiExplorer/test/DefaultApiDescriptionProviderTest.cs b/src/Mvc/Mvc.ApiExplorer/test/DefaultApiDescriptionProviderTest.cs
@@ -191,8 +191,6 @@ public void GetApiDescription_PopulatesParametersThatAppearOnRouteTemplate_AndHa
             var action = CreateActionDescriptor(nameof(FromRouting));
             action.AttributeRouteInfo = new AttributeRouteInfo { Template = template };
 
-            var parameterDescriptor = action.Parameters[0];
-
             // Act
             var descriptions = GetApiDescriptions(action);
 
@@ -1511,7 +1509,6 @@ public void GetApiDescription_ParameterDescription_DTOWithCollection()
         {
             // Arrange
             var action = CreateActionDescriptor(nameof(AcceptsHasCollection));
-            var parameterDescriptor = action.Parameters.Single();
 
             // Act
             var descriptions = GetApiDescriptions(action);
@@ -1531,7 +1528,6 @@ public void GetApiDescription_ParameterDescription_DTOWithCollection_ElementsWit
         {
             // Arrange
             var action = CreateActionDescriptor(nameof(AcceptsHasCollection_Complex));
-            var parameterDescriptor = action.Parameters.Single();
 
             // Act
             var descriptions = GetApiDescriptions(action);

diff --git a/src/Mvc/Mvc.Core/src/ModelBinding/Binders/ArrayModelBinder.cs b/src/Mvc/Mvc.Core/src/ModelBinding/Binders/ArrayModelBinder.cs
@@ -52,6 +52,36 @@ public ArrayModelBinder(
         {
         }
 
+        /// <summary>
+        /// Creates a new <see cref="ArrayModelBinder{TElement}"/>.
+        /// </summary>
+        /// <param name="elementBinder">
+        /// The <see cref="IModelBinder"/> for binding <typeparamref name="TElement"/>.
+        /// </param>
+        /// <param name="loggerFactory">The <see cref="ILoggerFactory"/>.</param>
+        /// <param name="allowValidatingTopLevelNodes">
+        /// Indication that validation of top-level models is enabled. If <see langword="true"/> and
+        /// <see cref="ModelMetadata.IsBindingRequired"/> is <see langword="true"/> for a top-level model, the binder
+        /// adds a <see cref="ModelStateDictionary"/> error when the model is not bound.
+        /// </param>
+        /// <param name="mvcOptions">The <see cref="MvcOptions"/>.</param>
+        /// <remarks>
+        /// <para>This is the preferred <see cref="ArrayModelBinder{TElement}"/> constructor.</para>
+        /// <para>
+        /// The <paramref name="allowValidatingTopLevelNodes"/> parameter is currently ignored.
+        /// <see cref="CollectionModelBinder{TElement}.AllowValidatingTopLevelNodes"/> is always <see langword="true"/>
+        /// in <see cref="ArrayModelBinder{TElement}"/>.
+        /// </para>
+        /// </remarks>
+        public ArrayModelBinder(
+            IModelBinder elementBinder,
+            ILoggerFactory loggerFactory,
+            bool allowValidatingTopLevelNodes,
+            MvcOptions mvcOptions)
+            : base(elementBinder, loggerFactory, allowValidatingTopLevelNodes: true, mvcOptions)
+        {
+        }
+
         /// <inheritdoc />
         public override bool CanCreateInstance(Type targetType)
         {

diff --git a/src/Mvc/Mvc.Core/src/ModelBinding/Binders/ArrayModelBinderProvider.cs b/src/Mvc/Mvc.Core/src/ModelBinding/Binders/ArrayModelBinderProvider.cs
@@ -4,6 +4,7 @@
 using System;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Mvc.ModelBinding.Binders
 {
@@ -23,15 +24,17 @@ public IModelBinder GetBinder(ModelBinderProviderContext context)
             if (context.Metadata.ModelType.IsArray)
             {
                 var elementType = context.Metadata.ElementMetadata.ModelType;
+                var binderType = typeof(ArrayModelBinder<>).MakeGenericType(elementType);
                 var elementBinder = context.CreateBinder(context.Metadata.ElementMetadata);
 
-                var binderType = typeof(ArrayModelBinder<>).MakeGenericType(elementType);
                 var loggerFactory = context.Services.GetRequiredService<ILoggerFactory>();
+                var mvcOptions = context.Services.GetRequiredService<IOptions<MvcOptions>>().Value;
                 return (IModelBinder)Activator.CreateInstance(
                     binderType,
                     elementBinder,
                     loggerFactory,
-                    true /* allowValidatingTopLevelNodes */);
+                    true /* allowValidatingTopLevelNodes */,
+                    mvcOptions);
             }
 
             return null;