How to allow "potentially dangerous" parameter values?

Question

I've got a Web API project. One of my endpoints allows a string search, which could contain special characters.

[RoutePrefix("api/Search")]
[ValidateInput(false)] // this is *supposed* to allow us to search using "unsafe" characters, like %, & etc.
public class SearchController : ApiController
{
    ...
    [HttpGet]
    [Route("{searchValue}", Name = "GenericSearch")]
    public async Task<IHttpActionResult> Search(string searchValue)
    {
        ...
    }
}

When I call api/Search/fred, this works as expected.

When I call api/Search/fred%25, I get this error:

[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (%).] System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +561 System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +54

This is despite the fact that my controller is decorated with [ValidateInput(false)], and based on other answers I found elsewhere, I added requestValidationMode to my Web.config:

<system.web>
  ...
  <httpRuntime requestValidationMode="2.0" />
</system.web>

What other secret switch do I need to flip?

I'm pretty sure that's only for MVC. But only on my phone ATM. Would also say if its not just MVC then have you tried it on the method instead if the class? — Andrew Harris, May 09 '17 at 11:55
According to the answer of this http://stackoverflow.com/questions/5967103/a-potentially-dangerous-request-path-value-was-detected-from-the-client try to put it in the query string — Samvel Petrosov, May 09 '17 at 11:57
@AndrewHarris AFAIK, isn't WebAPI a derivative of MVC, just with a few different controllers and things bolted on? — Geoff James, May 09 '17 at 11:57
@AndrewHarris Ah, cool. Must be one of the things bolted on. Good to know, thanks :) — Geoff James, May 09 '17 at 12:00
@GeoffJames all good I think that confirmed.s my suspicion though, you need the attribute at the method level if I read it correctly. — Andrew Harris, May 09 '17 at 12:01
Are you missing the attribute on `httpRuntime` for allowing the Invalid Characters? `` — Mark C., May 09 '17 at 12:02
@AndrewHarris I just tried putting the attribute at the method level. No difference. — Shaul Behr, May 09 '17 at 12:04
Then as Mark C said, you're missing the invalid chars attribute. — Andrew Harris, May 09 '17 at 12:05
@MarkC. Take yourself a prize. That fixed it. But what do I do if I don't want to remove validation on all endpoints, just the ones I specify? — Shaul Behr, May 09 '17 at 12:06
@ShaulBehr http://stackoverflow.com/questions/6025522/getting-a-potentially-dangerous-request-path-value-was-detected-from-the-client — Viswas Menon, May 09 '17 at 12:10
@ViswasMenon please can you be more explicit about what you find of interest at that question? — Shaul Behr, May 09 '17 at 12:16
@ShaulBehr The solution for that question should solve the issue that you have as well. — Viswas Menon, May 09 '17 at 12:24
Possible duplicate of [A potentially dangerous Request.Form value was detected from the client](http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client) — Alejandro, May 09 '17 at 12:27
@Alejandro not a duplicate. The question is different and the answer given is not the solution to my problem. — Shaul Behr, May 09 '17 at 12:31

score 3 · Accepted Answer · answered May 09 '17 at 12:11

3

You are missing the attribute on httpRuntime for allowing the Invalid Characters.

<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />

answered May 09 '17 at 12:11

Mark C.

6,332
4
35
71

Thanks! Is there a way to do it so that I don't remove validation on all endpoints, just the ones I specify? And does the `[ValidateInput(false)]` do anything at all? – Shaul Behr May 09 '17 at 12:12
Only on my phone at the moment give me a min – Mark C. May 09 '17 at 12:17
1

Found it [here](http://stackoverflow.com/a/9698482/7850): use a `location` element to confine the settings to urls under that path. If you'd like to update your answer with that, I'll give you answer credit. – Shaul Behr May 09 '17 at 12:28
And for those who are interested, `[ValidateInput(false)]` has no effect whatsoever. – Shaul Behr May 09 '17 at 12:35
Nice! Good find – Mark C. May 09 '17 at 12:36

How to allow "potentially dangerous" parameter values?

1 Answers1