Sanitize CorrelationId header before using it (#1067)

* fix: remove leading and trailing whitespaces

* fix: remove line endings

* fix: limit length to 100

* chore: don't use IgnoreAntiforgeryToken for /connect/token endpoint

Applications/ConsumerApi/src/Controllers/AuthorizationController.cs

@@ -34,7 +34,6 @@ public AuthorizationController(
     }
 
     [HttpPost("~/connect/token")]
-    [IgnoreAntiforgeryToken]
     [Produces("application/json")]
     [Consumes("application/x-www-form-urlencoded")]
     [AllowAnonymous]

BuildingBlocks/src/BuildingBlocks.API/Mvc/Middleware/CorrelationIdMiddleware.cs

@@ -1,4 +1,5 @@
 using Backbone.BuildingBlocks.Infrastructure.CorrelationIds;
+using Backbone.Tooling.Extensions;
 using Microsoft.AspNetCore.Http;
 
 namespace Backbone.BuildingBlocks.API.Mvc.Middleware;
@@ -20,6 +21,10 @@ public async Task InvokeAsync(HttpContext context)
         {
             correlationId = CustomLogContext.GenerateCorrelationId();
         }
+        else
+        {
+            correlationId = correlationId.Trim().ReplaceLineEndings("").TruncateToXChars(100);
+        }
 
         context.Response.Headers["X-Correlation-ID"] = correlationId;
 

BuildingBlocks/src/Tooling/Extensions/StringExtensions.cs

@@ -22,6 +22,11 @@ public static bool MatchesRegex(this string text, string regexString)
         return regex.IsMatch(text);
     }
 
+    public static string TruncateToXChars(this string text, int maxLength)
+    {
+        return text[..Math.Min(text.Length, maxLength)];
+    }
+
     public static byte[] GetBytes(this string text)
     {
         return Encoding.UTF8.GetBytes(text);