From 53a6a45e3e19115b64019adbac67a870c1d44908 Mon Sep 17 00:00:00 2001
From: Timo Notheisen <65653426+tnotheis@users.noreply.github.com>
Date: Tue, 4 Mar 2025 10:52:21 +0100
Subject: [PATCH] Sanitize CorrelationId header before using it (#1067)

* fix: remove leading and trailing whitespaces

* fix: remove line endings

* fix: limit length to 100

* chore: don't use IgnoreAntiforgeryToken for /connect/token endpoint
---
 .../ConsumerApi/src/Controllers/AuthorizationController.cs   | 1 -
 .../Mvc/Middleware/CorrelationIdMiddleware.cs                | 5 +++++
 BuildingBlocks/src/Tooling/Extensions/StringExtensions.cs    | 5 +++++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/Applications/ConsumerApi/src/Controllers/AuthorizationController.cs b/Applications/ConsumerApi/src/Controllers/AuthorizationController.cs
index 714f78ada7..7e395c0b1a 100644
--- a/Applications/ConsumerApi/src/Controllers/AuthorizationController.cs
+++ b/Applications/ConsumerApi/src/Controllers/AuthorizationController.cs
@@ -34,7 +34,6 @@ public AuthorizationController(
     }
 
     [HttpPost("~/connect/token")]
-    [IgnoreAntiforgeryToken]
     [Produces("application/json")]
     [Consumes("application/x-www-form-urlencoded")]
     [AllowAnonymous]
diff --git a/BuildingBlocks/src/BuildingBlocks.API/Mvc/Middleware/CorrelationIdMiddleware.cs b/BuildingBlocks/src/BuildingBlocks.API/Mvc/Middleware/CorrelationIdMiddleware.cs
index 33704d5f3c..68b373d4cf 100644
--- a/BuildingBlocks/src/BuildingBlocks.API/Mvc/Middleware/CorrelationIdMiddleware.cs
+++ b/BuildingBlocks/src/BuildingBlocks.API/Mvc/Middleware/CorrelationIdMiddleware.cs
@@ -1,4 +1,5 @@
 using Backbone.BuildingBlocks.Infrastructure.CorrelationIds;
+using Backbone.Tooling.Extensions;
 using Microsoft.AspNetCore.Http;
 
 namespace Backbone.BuildingBlocks.API.Mvc.Middleware;
@@ -20,6 +21,10 @@ public async Task InvokeAsync(HttpContext context)
         {
             correlationId = CustomLogContext.GenerateCorrelationId();
         }
+        else
+        {
+            correlationId = correlationId.Trim().ReplaceLineEndings("").TruncateToXChars(100);
+        }
 
         context.Response.Headers["X-Correlation-ID"] = correlationId;
 
diff --git a/BuildingBlocks/src/Tooling/Extensions/StringExtensions.cs b/BuildingBlocks/src/Tooling/Extensions/StringExtensions.cs
index 547082d1d8..62d5436305 100644
--- a/BuildingBlocks/src/Tooling/Extensions/StringExtensions.cs
+++ b/BuildingBlocks/src/Tooling/Extensions/StringExtensions.cs
@@ -22,6 +22,11 @@ public static bool MatchesRegex(this string text, string regexString)
         return regex.IsMatch(text);
     }
 
+    public static string TruncateToXChars(this string text, int maxLength)
+    {
+        return text[..Math.Min(text.Length, maxLength)];
+    }
+
     public static byte[] GetBytes(this string text)
     {
         return Encoding.UTF8.GetBytes(text);