Guard against client disconnect exceptions that appear when reading body (#25146)

* Guard against client disconnect exceptions that appear when performing ReadFormAsync

Reading the request body may throw an exception. This change adds some extra guards
for this and presents this as a 4xx response rather than a 5xx response.

* Add some tests

* Fixup test

Author: pranavkm

src/Antiforgery/src/Internal/DefaultAntiforgeryTokenStore.cs

@@ -3,6 +3,7 @@
 
 using System;
 using System.Diagnostics;
+using System.IO;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
@@ -57,7 +58,24 @@ public async Task<AntiforgeryTokenSet> GetRequestTokensAsync(HttpContext httpCon
             {
                 // Check the content-type before accessing the form collection to make sure
                 // we report errors gracefully.
-                var form = await httpContext.Request.ReadFormAsync();
+                IFormCollection form;
+                try
+                {
+                    form = await httpContext.Request.ReadFormAsync();
+                }
+                catch (InvalidDataException ex)
+                {
+                    // ReadFormAsync can throw InvalidDataException if the form content is malformed.
+                    // Wrap it in an AntiforgeryValidationException and allow the caller to handle it as just another antiforgery failure.
+                    throw new AntiforgeryValidationException(Resources.AntiforgeryToken_UnableToReadRequest, ex);
+                }
+                catch (IOException ex)
+                {
+                    // Reading the request body (which happens as part of ReadFromAsync) may throw an exception if a client disconnects.
+                    // Wrap it in an AntiforgeryValidationException and allow the caller to handle it as just another antiforgery failure.
+                    throw new AntiforgeryValidationException(Resources.AntiforgeryToken_UnableToReadRequest, ex);
+                }
+
                 requestToken = form[_options.FormFieldName];
             }
 

src/Antiforgery/src/Resources.resx

@@ -136,6 +136,9 @@
   <data name="AntiforgeryToken_TokensSwapped" xml:space="preserve">
     <value>Validation of the provided antiforgery token failed. The cookie token and the request token were swapped.</value>
   </data>
+  <data name="AntiforgeryToken_UnableToReadRequest" xml:space="preserve">
+    <value>Unable to read the antiforgery request token from the posted form.</value>
+  </data>
   <data name="AntiforgeryToken_UsernameMismatch" xml:space="preserve">
     <value>The provided antiforgery token was meant for user "{0}", but the current user is "{1}".</value>
   </data>

src/Antiforgery/test/DefaultAntiforgeryTokenStoreTest.cs

@@ -3,6 +3,8 @@
 
 using System;
 using System.Collections.Generic;
+using System.IO;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Primitives;
@@ -235,6 +237,56 @@ public async Task GetRequestTokens_BothHeaderValueAndFormFieldsEmpty_ReturnsNull
             Assert.Null(tokenSet.RequestToken);
         }
 
+        [Fact]
+        public async Task GetRequestTokens_ReadFormAsyncThrowsIOException_ThrowsAntiforgeryValidationException()
+        {
+            // Arrange
+            var ioException = new IOException();
+            var httpContext = new Mock<HttpContext>();
+
+            httpContext.Setup(r => r.Request.Cookies).Returns(Mock.Of<IRequestCookieCollection>());
+            httpContext.SetupGet(r => r.Request.HasFormContentType).Returns(true);
+            httpContext.Setup(r => r.Request.ReadFormAsync(It.IsAny<CancellationToken>())).Throws(ioException);
+
+            var options = new AntiforgeryOptions
+            {
+                Cookie = { Name = "cookie-name" },
+                FormFieldName = "form-field-name",
+                HeaderName = null,
+            };
+
+            var tokenStore = new DefaultAntiforgeryTokenStore(new TestOptionsManager(options));
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<AntiforgeryValidationException>(() => tokenStore.GetRequestTokensAsync(httpContext.Object));
+            Assert.Same(ioException, ex.InnerException);
+        }
+
+        [Fact]
+        public async Task GetRequestTokens_ReadFormAsyncThrowsInvalidDataException_ThrowsAntiforgeryValidationException()
+        {
+            // Arrange
+            var exception = new InvalidDataException();
+            var httpContext = new Mock<HttpContext>();
+
+            httpContext.Setup(r => r.Request.Cookies).Returns(Mock.Of<IRequestCookieCollection>());
+            httpContext.SetupGet(r => r.Request.HasFormContentType).Returns(true);
+            httpContext.Setup(r => r.Request.ReadFormAsync(It.IsAny<CancellationToken>())).Throws(exception);
+
+            var options = new AntiforgeryOptions
+            {
+                Cookie = { Name = "cookie-name" },
+                FormFieldName = "form-field-name",
+                HeaderName = null,
+            };
+
+            var tokenStore = new DefaultAntiforgeryTokenStore(new TestOptionsManager(options));
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<AntiforgeryValidationException>(() => tokenStore.GetRequestTokensAsync(httpContext.Object));
+            Assert.Same(exception, ex.InnerException);
+        }
+
         [Theory]
         [InlineData(false, CookieSecurePolicy.SameAsRequest, null)]
         [InlineData(true, CookieSecurePolicy.SameAsRequest, true)]

src/Mvc/Mvc.Core/src/ModelBinding/FormFileValueProviderFactory.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -42,6 +42,14 @@ private static async Task AddValueProviderAsync(ValueProviderFactoryContext cont
             }
             catch (InvalidDataException ex)
             {
+                // ReadFormAsync can throw InvalidDataException if the form content is malformed.
+                // Wrap it in a ValueProviderException that the CompositeValueProvider special cases.
+                throw new ValueProviderException(Resources.FormatFailedToReadRequestForm(ex.Message), ex);
+            }
+            catch (IOException ex)
+            {
+                // ReadFormAsync can throw IOException if the client disconnects.
+                // Wrap it in a ValueProviderException that the CompositeValueProvider special cases.
                 throw new ValueProviderException(Resources.FormatFailedToReadRequestForm(ex.Message), ex);
             }
 

src/Mvc/Mvc.Core/src/ModelBinding/FormValueProviderFactory.cs

@@ -44,6 +44,14 @@ private static async Task AddValueProviderAsync(ValueProviderFactoryContext cont
             }
             catch (InvalidDataException ex)
             {
+                // ReadFormAsync can throw InvalidDataException if the form content is malformed.
+                // Wrap it in a ValueProviderException that the CompositeValueProvider special cases.
+                throw new ValueProviderException(Resources.FormatFailedToReadRequestForm(ex.Message), ex);
+            }
+            catch (IOException ex)
+            {
+                // ReadFormAsync can throw IOException if the client disconnects.
+                // Wrap it in a ValueProviderException that the CompositeValueProvider special cases.
                 throw new ValueProviderException(Resources.FormatFailedToReadRequestForm(ex.Message), ex);
             }
 

src/Mvc/Mvc.Core/src/ModelBinding/JQueryFormValueProviderFactory.cs

@@ -3,7 +3,10 @@
 
 using System;
 using System.Globalization;
+using System.IO;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.Core;
 
 namespace Microsoft.AspNetCore.Mvc.ModelBinding
 {
@@ -34,7 +37,23 @@ private static async Task AddValueProviderAsync(ValueProviderFactoryContext cont
         {
             var request = context.ActionContext.HttpContext.Request;
 
-            var formCollection = await request.ReadFormAsync();
+            IFormCollection formCollection;
+            try
+            {
+                formCollection = await request.ReadFormAsync();
+            }
+            catch (InvalidDataException ex)
+            {
+                // ReadFormAsync can throw InvalidDataException if the form content is malformed.
+                // Wrap it in a ValueProviderException that the CompositeValueProvider special cases.
+                throw new ValueProviderException(Resources.FormatFailedToReadRequestForm(ex.Message), ex);
+            }
+            catch (IOException ex)
+            {
+                // ReadFormAsync can throw IOException if the client disconnects.
+                // Wrap it in a ValueProviderException that the CompositeValueProvider special cases.
+                throw new ValueProviderException(Resources.FormatFailedToReadRequestForm(ex.Message), ex);
+            }
 
             var valueProvider = new JQueryFormValueProvider(
                 BindingSource.Form,

src/Mvc/Mvc.Core/test/ModelBinding/CompositeValueProviderTest.cs

@@ -5,7 +5,10 @@
 using System.Collections.Generic;
 using System.Globalization;
 using System.Linq;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc.Abstractions;
+using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Primitives;
 using Moq;
 using Xunit;
@@ -45,6 +48,25 @@ protected override IEnumerableValueProvider GetEnumerableValueProvider(
             return new CompositeValueProvider() { emptyValueProvider, valueProvider };
         }
 
+        [Fact]
+        public async Task TryCreateAsync_AddsModelStateError_WhenValueProviderFactoryThrowsValueProviderException()
+        {
+            // Arrange
+            var factory = new Mock<IValueProviderFactory>();
+            factory.Setup(f => f.CreateValueProviderAsync(It.IsAny<ValueProviderFactoryContext>())).ThrowsAsync(new ValueProviderException("Some error"));
+            var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor(), new ModelStateDictionary());
+
+            // Act
+            var (success, result) = await CompositeValueProvider.TryCreateAsync(actionContext, new[] { factory.Object });
+
+            // Assert
+            Assert.False(success);
+            var modelState = actionContext.ModelState;
+            Assert.False(modelState.IsValid);
+            var entry = Assert.Single(modelState);
+            Assert.Empty(entry.Key);
+        }
+
         [Fact]
         public void GetKeysFromPrefixAsync_ReturnsResultFromFirstValueProviderThatReturnsValues()
         {

src/Mvc/Mvc.Core/test/ModelBinding/FormFileValueProviderFactoryTest.cs

@@ -1,13 +1,16 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Abstractions;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Primitives;
+using Moq;
 using Xunit;
 
 namespace Microsoft.AspNetCore.Mvc.ModelBinding
@@ -60,6 +63,59 @@ public async Task CreateValueProviderAsync_AddsValueProvider()
                 v => Assert.IsType<FormFileValueProvider>(v));
         }
 
+        [Fact]
+        public async Task GetValueProviderAsync_ThrowsValueProviderException_IfReadingFormThrowsInvalidDataException()
+        {
+            // Arrange
+            var exception = new InvalidDataException();
+            var valueProviderContext = CreateThrowingContext(exception);
+
+            var factory = new FormFileValueProviderFactory();
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<ValueProviderException>(() => factory.CreateValueProviderAsync(valueProviderContext));
+            Assert.Same(exception, ex.InnerException);
+        }
+
+        [Fact]
+        public async Task GetValueProviderAsync_ThrowsValueProviderException_IfReadingFormThrowsInvalidOperationException()
+        {
+            // Arrange
+            var exception = new IOException();
+            var valueProviderContext = CreateThrowingContext(exception);
+
+            var factory = new FormFileValueProviderFactory();
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<ValueProviderException>(() => factory.CreateValueProviderAsync(valueProviderContext));
+            Assert.Same(exception, ex.InnerException);
+        }
+
+        [Fact]
+        public async Task GetValueProviderAsync_ThrowsOriginalException_IfReadingFormThrows()
+        {
+            // Arrange
+            var exception = new TimeZoneNotFoundException();
+            var valueProviderContext = CreateThrowingContext(exception);
+
+            var factory = new FormFileValueProviderFactory();
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<TimeZoneNotFoundException>(() => factory.CreateValueProviderAsync(valueProviderContext));
+            Assert.Same(exception, ex);
+        }
+
+        private static ValueProviderFactoryContext CreateThrowingContext(Exception exception)
+        {
+            var context = new Mock<HttpContext>();
+            context.Setup(c => c.Request.ContentType).Returns("application/x-www-form-urlencoded");
+            context.Setup(c => c.Request.HasFormContentType).Returns(true);
+            context.Setup(c => c.Request.ReadFormAsync(It.IsAny<CancellationToken>())).ThrowsAsync(exception);
+            var actionContext = new ActionContext(context.Object, new RouteData(), new ActionDescriptor());
+            var valueProviderContext = new ValueProviderFactoryContext(actionContext);
+            return valueProviderContext;
+        }
+
         private static ValueProviderFactoryContext CreateContext(string contentType)
         {
             var context = new DefaultHttpContext();

src/Mvc/Mvc.Core/test/ModelBinding/FormValueProviderFactoryTest.cs

@@ -1,13 +1,17 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Collections.Generic;
 using System.Globalization;
+using System.IO;
+using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Abstractions;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Primitives;
+using Moq;
 using Xunit;
 
 namespace Microsoft.AspNetCore.Mvc.ModelBinding.Test
@@ -47,6 +51,59 @@ public async Task GetValueProviderAsync_ReturnsValueProvider_WithCurrentCulture(
             Assert.Equal(CultureInfo.CurrentCulture, valueProvider.Culture);
         }
 
+        [Fact]
+        public async Task GetValueProviderAsync_ThrowsValueProviderException_IfReadingFormThrowsInvalidDataException()
+        {
+            // Arrange
+            var exception = new InvalidDataException();
+            var valueProviderContext = CreateThrowingContext(exception);
+
+            var factory = new FormValueProviderFactory();
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<ValueProviderException>(() => factory.CreateValueProviderAsync(valueProviderContext));
+            Assert.Same(exception, ex.InnerException);
+        }
+
+        [Fact]
+        public async Task GetValueProviderAsync_ThrowsValueProviderException_IfReadingFormThrowsInvalidOperationException()
+        {
+            // Arrange
+            var exception = new IOException();
+            var valueProviderContext = CreateThrowingContext(exception);
+
+            var factory = new FormValueProviderFactory();
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<ValueProviderException>(() => factory.CreateValueProviderAsync(valueProviderContext));
+            Assert.Same(exception, ex.InnerException);
+        }
+
+        [Fact]
+        public async Task GetValueProviderAsync_ThrowsOriginalException_IfReadingFormThrows()
+        {
+            // Arrange
+            var exception = new TimeZoneNotFoundException();
+            var valueProviderContext = CreateThrowingContext(exception);
+
+            var factory = new FormValueProviderFactory();
+
+            // Act & Assert
+            var ex = await Assert.ThrowsAsync<TimeZoneNotFoundException>(() => factory.CreateValueProviderAsync(valueProviderContext));
+            Assert.Same(exception, ex);
+        }
+
+        private static ValueProviderFactoryContext CreateThrowingContext(Exception exception)
+        {
+            var context = new Mock<HttpContext>();
+            context.Setup(c => c.Request.ContentType).Returns("application/x-www-form-urlencoded");
+            context.Setup(c => c.Request.HasFormContentType).Returns(true);
+            context.Setup(c => c.Request.ReadFormAsync(It.IsAny<CancellationToken>())).ThrowsAsync(exception);
+            var actionContext = new ActionContext(context.Object, new RouteData(), new ActionDescriptor());
+            var valueProviderContext = new ValueProviderFactoryContext(actionContext);
+            return valueProviderContext;
+        }
+
         private static ValueProviderFactoryContext CreateContext(string contentType)
         {
             var context = new DefaultHttpContext();