Sanitize CorrelationId header before using it (#1067)

tnotheis · web-flow · commit 53a6a45e3e19 · 2025-03-04T10:52:21.000+01:00
* fix: remove leading and trailing whitespaces

* fix: remove line endings

* fix: limit length to 100

* chore: don't use IgnoreAntiforgeryToken for /connect/token endpoint
diff --git a/Applications/ConsumerApi/src/Controllers/AuthorizationController.cs b/Applications/ConsumerApi/src/Controllers/AuthorizationController.cs
@@ -34,7 +34,6 @@ public AuthorizationController(
     }
 
     [HttpPost("~/connect/token")]
-    [IgnoreAntiforgeryToken]
     [Produces("application/json")]
     [Consumes("application/x-www-form-urlencoded")]
     [AllowAnonymous]
diff --git a/BuildingBlocks/src/BuildingBlocks.API/Mvc/Middleware/CorrelationIdMiddleware.cs b/BuildingBlocks/src/BuildingBlocks.API/Mvc/Middleware/CorrelationIdMiddleware.cs
@@ -1,4 +1,5 @@
 ﻿using Backbone.BuildingBlocks.Infrastructure.CorrelationIds;
+using Backbone.Tooling.Extensions;
 using Microsoft.AspNetCore.Http;
 
 namespace Backbone.BuildingBlocks.API.Mvc.Middleware;
@@ -20,6 +21,10 @@ public async Task InvokeAsync(HttpContext context)
         {
             correlationId = CustomLogContext.GenerateCorrelationId();
         }
+        else
+        {
+            correlationId = correlationId.Trim().ReplaceLineEndings("").TruncateToXChars(100);
+        }
 
         context.Response.Headers["X-Correlation-ID"] = correlationId;
 
diff --git a/BuildingBlocks/src/Tooling/Extensions/StringExtensions.cs b/BuildingBlocks/src/Tooling/Extensions/StringExtensions.cs
@@ -22,6 +22,11 @@ public static bool MatchesRegex(this string text, string regexString)
         return regex.IsMatch(text);
     }
 
+    public static string TruncateToXChars(this string text, int maxLength)
+    {
+        return text[..Math.Min(text.Length, maxLength)];
+    }
+
     public static byte[] GetBytes(this string text)
     {
         return Encoding.UTF8.GetBytes(text);

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,6 @@ public AuthorizationController(`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`[HttpPost("~/connect/token")]`
`37`		`- [IgnoreAntiforgeryToken]`
`38`	`37`	`[Produces("application/json")]`
`39`	`38`	`[Consumes("application/x-www-form-urlencoded")]`
`40`	`39`	`[AllowAnonymous]`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`using Backbone.BuildingBlocks.Infrastructure.CorrelationIds;`
	`2`	`+using Backbone.Tooling.Extensions;`
`2`	`3`	`using Microsoft.AspNetCore.Http;`
`3`	`4`
`4`	`5`	`namespace Backbone.BuildingBlocks.API.Mvc.Middleware;`
`@@ -20,6 +21,10 @@ public async Task InvokeAsync(HttpContext context)`
`20`	`21`	`{`
`21`	`22`	`correlationId = CustomLogContext.GenerateCorrelationId();`
`22`	`23`	`}`
	`24`	`+ else`
	`25`	`+ {`
	`26`	`+ correlationId = correlationId.Trim().ReplaceLineEndings("").TruncateToXChars(100);`
	`27`	`+ }`
`23`	`28`
`24`	`29`	`context.Response.Headers["X-Correlation-ID"] = correlationId;`
`25`	`30`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,11 @@ public static bool MatchesRegex(this string text, string regexString)`
`22`	`22`	`return regex.IsMatch(text);`
`23`	`23`	`}`
`24`	`24`
	`25`	`+ public static string TruncateToXChars(this string text, int maxLength)`
	`26`	`+ {`
	`27`	`+ return text[..Math.Min(text.Length, maxLength)];`
	`28`	`+ }`
	`29`	`+`
`25`	`30`	`public static byte[] GetBytes(this string text)`
`26`	`31`	`{`
`27`	`32`	`return Encoding.UTF8.GetBytes(text);`