Skip to content

Add security guidance for user-specified capacity in collections#12415

Open
Copilot wants to merge 3 commits intomainfrom
copilot/handle-user-capacity-in-collections
Open

Add security guidance for user-specified capacity in collections#12415
Copilot wants to merge 3 commits intomainfrom
copilot/handle-user-capacity-in-collections

Conversation

Copy link
Contributor

Copilot AI commented Mar 17, 2026
edited
Loading

Passing untrusted user input directly as capacity to collection constructors or EnsureCapacity can enable denial-of-service via excessive memory allocation. Adds [!CAUTION] remarks to the affected APIs recommending safer patterns.

Affected APIs

Constructors (int capacity overload):

  • List<T>, Dictionary<TKey,TValue>, HashSet<T>, Queue<T>, ArrayList

EnsureCapacity(int capacity) methods:

  • List<T>, Dictionary<TKey,TValue>, HashSet<T>, Queue<T>

Guidance added

Each caution note recommends:

  1. Prefer the parameterless constructor — let the collection resize naturally as elements are added.
  2. If a user-supplied value must be used, clamp it to a safe ceiling: 
    new List<T>(Math.Clamp(untrustedValue, 0, 20))
  3. Alternatively, verify that the actual element count matches the claimed capacity before passing it.

EnsureCapacity methods that previously had To be added. remarks now include a full ## Remarks section with the caution.

Original prompt

This section details on the original issue you should resolve

<issue_title>Handling user specified capacity in collections</issue_title>
<issue_description>### Describe the issue or suggestion

The documentation for collections accepting a capacity value should contain some remarks about user specified values.

If the capacity is user specified, prefer to let the collection to resize itself when adding elements instead of specifying a capacity in the constructor or EnsureCapacity. If this is not possible, then it is good practice to validate the value before passing it to the constructor or EnsureCapacity. Two options are:

  • Clamp the capacity to a small safe value and allow the list to dynamically grow as items are added. For example, use Math.Clamp(untrustedValue, 0, 20) to limit the initial creation to no more than 20 entries. The list will naturally expand if more than 20 entries are added.
  • Verify that the number of list elements really does match the claimed capacity. Use caution not to introduce vulnerable backtracking logic when doing so.

The collections that have an EnsureCapacity:

  • List<T>
  • Dictionary<TKey, TValue>
  • HashSet<T>
  • Queue<T>
  • ArrayList

Associated WorkItem - 558455</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@github-actions github-actions bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Mar 18, 2026
@gewarren
Add security remarks for user-specified capacity values in collections
40c572a 
Co-authored-by: gewarren <24882762+gewarren@users.noreply.github.com>
Copilot AI changed the title [WIP] Update documentation for user specified capacity in collections Add security guidance for user-specified capacity in collections Mar 18, 2026
Copilot AI requested a review from gewarren March 18, 2026 00:03
@github-actions github-actions bot added area-System.Collections and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Mar 18, 2026
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Mar 18, 2026

Tagging subscribers to this area: @dotnet/area-system-collections

gewarren
gewarren reviewed Mar 18, 2026
View reviewed changes
xml/System.Collections/ArrayList.xml Outdated
This constructor is an `O(n)` operation, where `n` is `capacity`.

> [!CAUTION]
> If `capacity` comes from user input, prefer using the parameterless constructor and letting the collection resize as elements are added. If you must use a user-specified value, either clamp it to a reasonable limit (for example, `Math.Clamp(untrustedValue, 0, 20)`) or verify that the element count matches the specified value.
Copy link
Contributor

@gewarren gewarren Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Please only use a single space after the > character in a note block.

Copy link
Contributor Author

Copilot AI Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in dbbe727 — all 9 CAUTION content lines now use a single space after >.

@gewarren
Use single space after > in CAUTION callout content lines
dbbe727 
Co-authored-by: gewarren <24882762+gewarren@users.noreply.github.com>
Copilot AI requested a review from gewarren March 18, 2026 21:36
@gewarren gewarren marked this pull request as ready for review March 18, 2026 22:58
@gewarren gewarren requested a review from a team as a code owner March 18, 2026 22:58
@gewarren gewarren enabled auto-merge (squash) March 18, 2026 22:58
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds security-focused documentation guidance warning against passing untrusted user input as capacity to collection constructors or EnsureCapacity, helping reduce potential denial-of-service risks from excessive allocation.

Changes:

  • Add [!CAUTION] callouts to capacity-accepting constructors for several collections.
  • Replace placeholder To be added. remarks on EnsureCapacity(int) with a full markdown remarks section including the caution guidance.
  • Keep the guidance consistent across affected APIs (prefer natural growth, clamp, or validate claimed size).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
xml/System.Collections/ArrayList.xml Adds CAUTION guidance to the ArrayList(int capacity) constructor remarks.
xml/System.Collections.Generic/Queue`1.xml Adds CAUTION guidance to Queue(int capacity) and documents EnsureCapacity(int) remarks.
xml/System.Collections.Generic/List`1.xml Adds CAUTION guidance to List(int capacity) and documents EnsureCapacity(int) remarks.
xml/System.Collections.Generic/HashSet`1.xml Adds CAUTION guidance to HashSet(int capacity) and documents EnsureCapacity(int) remarks.
xml/System.Collections.Generic/Dictionary`2.xml Adds CAUTION guidance to Dictionary(int capacity) and documents EnsureCapacity(int) remarks.

You can also share your feedback on Copilot code review. Take the survey.

xml/System.Collections.Generic/Dictionary`2.xml
Comment on lines +529 to +530
> [!CAUTION]
> If `capacity` comes from user input, prefer using a constructor without a capacity parameter and letting the collection resize as elements are added. If you must use a user-specified value, either clamp it to a reasonable limit (for example, `Math.Clamp(untrustedValue, 0, 20)`) or verify that the element count matches the specified value.
xml/System.Collections.Generic/HashSet`1.xml
Since resizes are relatively expensive (require rehashing), this attempts to minimize the need to resize by setting the initial capacity based on the value of the `capacity`.

> [!CAUTION]
> If `capacity` comes from user input, prefer using the parameterless constructor and letting the collection resize as elements are added. If you must use a user-specified value, either clamp it to a reasonable limit (for example, `Math.Clamp(untrustedValue, 0, 20)`) or verify that the element count matches the specified value.
xml/System.Collections.Generic/Dictionary`2.xml


> [!CAUTION]
> If `capacity` comes from user input, prefer using a constructor without a capacity parameter and letting the collection resize as elements are added. If you must use a user-specified value, either clamp it to a reasonable limit (for example, `Math.Clamp(untrustedValue, 0, 20)`) or verify that the element count matches the specified value.
xml/System.Collections.Generic/Dictionary`2.xml
## Remarks

> [!CAUTION]
> If `capacity` comes from user input, prefer letting the collection resize itself as elements are added instead of calling this method. If you must use a user-specified value, either clamp it to a reasonable limit (for example, `Math.Clamp(untrustedValue, 0, 20)`) or verify that the element count matches the specified value.
xml/System.Collections.Generic/HashSet`1.xml
Since resizes are relatively expensive (require rehashing), this attempts to minimize the need to resize by setting the initial capacity based on the value of the `capacity`.

> [!CAUTION]
> If `capacity` comes from user input, prefer using the parameterless constructor and letting the collection resize as elements are added. If you must use a user-specified value, either clamp it to a reasonable limit (for example, `Math.Clamp(untrustedValue, 0, 20)`) or verify that the element count matches the specified value.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@PranavSenthilnathan PranavSenthilnathan Awaiting requested review from PranavSenthilnathan

+1 more reviewer

@gewarren gewarren gewarren approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@gewarren gewarren

Copilot code review Copilot

Labels

area-System.Collections

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Handling user specified capacity in collections

3 participants

@gewarren