search

microsoft / ApplicationInsights-dotnet-server

Microsoft Application Insights for .NET Web Applications
https://azure.microsoft.com/services/application-insights/
133 stars 67 forks source link

[2.11.0-beta1] guard against malicious headers in quickpulse #1191

Closed TimothyMothra closed 5 years ago

TimothyMothra commented 5 years ago

Part 1: Cijo please review

In a previous SDL we introduced InjectionGuardConstants to protect from malicious values being injected into the SDK and causing memory overruns.

I found a place in QuickPulse not doing this check.

(For reference see, mseng bug 651018)

Part 2: Alex please review

QuickPulseServiceClient was retrieving an array of request headers but only using the First() value. I didn't want to do a length check on an entire array if only the first value would be used. I changed the implementation to only return the first element in an array.

TimothyMothra commented 5 years ago

@cijothomas is it safe to merge this now? :)