microsoft · TimothyMothra · Jun 19, 2019 · May 15, 2019 · May 15, 2019 · May 16, 2019
diff --git a/Src/Common/InjectionGuardConstants.cs b/Src/Common/InjectionGuardConstants.cs
@@ -50,5 +50,10 @@ static class InjectionGuardConstants
         /// Max number of key value pairs in the tracestate header.
         /// </summary>
         public const int TraceStateMaxPairs = 32;
+
+        /// <summary>
+        /// Max length of incoming Response Header value allowed.
+        /// </summary>
+        public const int QuickPulseResponseHeaderHeaderMaxLength = 1024;
     }
 }
diff --git a/...nceCollector/Perf.Shared.NetStandard/Implementation/QuickPulse/QuickPulseServiceClient.cs b/...nceCollector/Perf.Shared.NetStandard/Implementation/QuickPulse/QuickPulseServiceClient.cs
@@ -178,8 +178,7 @@ public void Dispose()
         {
             configurationInfo = null;
 
-            bool isSubscribed;
-            if (!bool.TryParse(response.Headers.GetValuesSafe(QuickPulseConstants.XMsQpsSubscribedHeaderName).FirstOrDefault(), out isSubscribed))
+            if (!bool.TryParse(response.Headers.GetValueSafe(QuickPulseConstants.XMsQpsSubscribedHeaderName), out bool isSubscribed))
             {
                 // could not parse the isSubscribed value
 
@@ -198,10 +197,10 @@ public void Dispose()
 
             foreach (string headerName in QuickPulseConstants.XMsQpsAuthOpaqueHeaderNames)
             {
-                this.authOpaqueHeaderValues[headerName] = response.Headers.GetValuesSafe(headerName).FirstOrDefault();
+                this.authOpaqueHeaderValues[headerName] = response.Headers.GetValueSafe(headerName);
             }
 
-            string configurationETagHeaderValue = response.Headers.GetValuesSafe(QuickPulseConstants.XMsQpsConfigurationETagHeaderName).FirstOrDefault();
+            string configurationETagHeaderValue = response.Headers.GetValueSafe(QuickPulseConstants.XMsQpsConfigurationETagHeaderName);
 
             try
             {

diff --git a/...ector/Perf.Shared.NetStandard/Implementation/QuickPulse/QuickPulseServiceClientHelpers.cs b/...ector/Perf.Shared.NetStandard/Implementation/QuickPulse/QuickPulseServiceClientHelpers.cs
@@ -1,18 +1,22 @@
 namespace Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.Implementation.QuickPulse
 {
-    using System.Collections.Generic;
+    using System.Linq;
     using System.Net.Http.Headers;
-    using Microsoft.ApplicationInsights.Common;
+    using Microsoft.ApplicationInsights.Common.Internal;
 
     internal static class QuickPulseServiceClientHelpers
     {
-        private static readonly string[] emptyResult = ArrayExtensions.Empty<string>();
-
-        public static IEnumerable<string> GetValuesSafe(this HttpResponseHeaders headers, string name)
+        public static string GetValueSafe(this HttpHeaders headers, string name)
         {
-            IEnumerable<string> result = (headers?.Contains(name) ?? false) ? headers.GetValues(name) : emptyResult;
+            string value = default(string);
 
-            return result;
+            if (headers?.Contains(name) ?? false)
+            {
+                value = headers.GetValues(name).First();
+                value = StringUtilities.EnforceMaxLength(value, InjectionGuardConstants.QuickPulseResponseHeaderHeaderMaxLength);
+            }
+
+            return value;
         }
     }
 }
diff --git a/Src/PerformanceCollector/Perf.Shared.Tests/Perf.Shared.Tests.projitems b/Src/PerformanceCollector/Perf.Shared.Tests/Perf.Shared.Tests.projitems
@@ -50,6 +50,9 @@
     <Compile Include="$(MSBuildThisFileDirectory)WebAppPerformanceCollector\RatioCounterTests.cs" />
     <Compile Include="$(MSBuildThisFileDirectory)WebAppPerformanceCollector\SumUpCountersGaugeTests.cs" />
   </ItemGroup>
+  <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp1.0' OR '$(TargetFramework)' == 'netcoreapp2.0'">
+    <Compile Include="$(MSBuildThisFileDirectory)QuickPulse\QuickPulseServiceClientHelpersTests.cs" />
+  </ItemGroup>
   <ItemGroup>
     <None Include="$(MSBuildThisFileDirectory)WebAppPerformanceCollector\SampleFiles\RemoteEnvironmentVariablesAllSampleOne.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

diff --git a/Src/PerformanceCollector/Perf.Shared.Tests/QuickPulse/QuickPulseServiceClientHelpersTests.cs b/Src/PerformanceCollector/Perf.Shared.Tests/QuickPulse/QuickPulseServiceClientHelpersTests.cs
@@ -0,0 +1,79 @@
+namespace Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.Tests.QuickPulse
+{
+    using System.Net.Http.Headers;
+    using Microsoft.ApplicationInsights.Common.Internal;
+    using Microsoft.ApplicationInsights.Extensibility.PerfCounterCollector.Implementation.QuickPulse;
+    using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+    [TestClass]
+    public class QuickPulseServiceClientHelpersTests
+    {
+        private const int QuickPulseResponseHeaderHeaderMaxLength = InjectionGuardConstants.QuickPulseResponseHeaderHeaderMaxLength;
+        private const string SecretString = "12345abcd";
+        private const string HeaderName = "myheader";
+        private const string FakeHeaderName = "fake";
+
+        [TestMethod]
+        public void VerifyHeaderGetValue()
+        {
+            // setup
+            var headers = new TestHttpHeaders();
+            foreach (string headerName in QuickPulseConstants.XMsQpsAuthOpaqueHeaderNames)
+            {
+                headers.Add(headerName, headerName + SecretString);
+            }
+
+            // assert
+            foreach (string headerName in QuickPulseConstants.XMsQpsAuthOpaqueHeaderNames)
+            {
+                var value = headers.GetValueSafe(headerName);
+                Assert.AreEqual(headerName + SecretString, value);
+            }
+        }
+
+        [TestMethod]
+        public void VerifyHeaderGetValues()
+        {
+            // setup
+            var headers = new TestHttpHeaders();
+            headers.Add(HeaderName, "one");
+            headers.Add(HeaderName, "two");
+            headers.Add(HeaderName, "three");
+
+            // assert
+            var result = headers.GetValueSafe(HeaderName);
+            Assert.AreEqual("one", result);
+
+            var result2 = headers.GetValueSafe(FakeHeaderName);
+            Assert.AreEqual(default(string), result2);
+        }
+
+        [TestMethod]
+        public void VerifyHeadersLengthIsProtected()
+        {
+            // setup
+            var headers = new TestHttpHeaders();
+            headers.Add(HeaderName, new string('*', QuickPulseResponseHeaderHeaderMaxLength));
+
+            // assert
+            var result = headers.GetValueSafe(HeaderName);
+            Assert.AreEqual(QuickPulseResponseHeaderHeaderMaxLength, result.Length);
+        }
+
+        [TestMethod]
+        public void VerifyInvalidHeadersLengthIsProtected()
+        {
+            // setup
+            var headers = new TestHttpHeaders();
+            headers.Add(HeaderName, new string('*', QuickPulseResponseHeaderHeaderMaxLength + 1));
+
+            // assert
+            var result = headers.GetValueSafe(HeaderName);
+            Assert.AreEqual(QuickPulseResponseHeaderHeaderMaxLength, result.Length);
+        }
+
+        private class TestHttpHeaders : HttpHeaders
+        {
+        }
+    }
+}