This repository was archived by the owner on Jun 10, 2020. It is now read-only.
Enforce limits of values read from incoming headers and app id lookup#608
Merged
cijothomas merged 13 commits intodevelopfrom Feb 28, 2018
Merged
Enforce limits of values read from incoming headers and app id lookup#608cijothomas merged 13 commits intodevelopfrom
cijothomas merged 13 commits intodevelopfrom
Conversation
…nary(). Added Common classes and methods to support changes.
…as several protection including preventing unlimited retries etc
cijothomas
commented
Feb 27, 2018
| /// <summary> | ||
| /// Max length of context header key. | ||
| /// </summary> | ||
| public const int ContextHeaderKeyMaxLength = 50; |
Contributor
Author
There was a problem hiding this comment.
i picked 50. Not sure if there is genuine need of key longer than this.
cijothomas
commented
Feb 27, 2018
| /// <summary> | ||
| /// Max length of context header value. | ||
| /// </summary> | ||
| public const int ContextHeaderValueMaxLength = 100; |
Contributor
Author
There was a problem hiding this comment.
i picked 100. Not sure if there is genuine need of a value longer than this.
There was a problem hiding this comment.
@SergeyKanzhelev's guidance for WebSDK was to allow up to 1Kb. I made the same change above to RequestHeaderMaxLengeth.
Consider if that is appropriate for here as well.
|
I'm approving these changes. Most everything was copied verbatim from microsoft/ApplicationInsights-dotnet-server#810 |
TimothyMothra
approved these changes
Feb 28, 2018
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses security concerns about malicious user attempting to send request with unreasonably large request headers. As SDK reads these values and stores locally/make part of Telemetry items, they can cause undesirable effects like high mem/cpu/ etc.
This attempts to enforce limits on values read from outside requests/responses.
For significant contributions please make sure you have completed the following items:
Changes in public surface reviewed
Design discussion issue #
CHANGELOG.md updated with one line description of the fix, and a link to the original issue.
The PR will trigger build, unit tests, and functional tests automatically. If your PR was submitted from fork - mention one of committers to initiate the build for you.
If you want to to re-run the build/tests, the easiest way is to simply Close and Re-Open this same PR. (Just click 'close pull request' followed by 'open pull request' buttons at the bottom of the PR)
Please follow [these] (https://github.com/Microsoft/ApplicationInsights-aspnetcore/blob/develop/Readme.md) instructions to build and test locally.