Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

src/Router/StellaOps.Gateway.WebService/Middleware/CorrelationIdMiddleware.cs

@@ -3,6 +3,7 @@ namespace StellaOps.Gateway.WebService.Middleware;
 public sealed class CorrelationIdMiddleware
 {
     public const string HeaderName = "X-Correlation-Id";
+    private const int MaxCorrelationIdLength = 128;
 
     private readonly RequestDelegate _next;
 
@@ -16,7 +17,18 @@ public sealed class CorrelationIdMiddleware
         if (context.Request.Headers.TryGetValue(HeaderName, out var headerValue) &&
             !string.IsNullOrWhiteSpace(headerValue))
         {
-            context.TraceIdentifier = headerValue.ToString();
+            var correlationId = headerValue.ToString();
+
+            // Validate correlation ID to prevent header injection and resource exhaustion
+            if (IsValidCorrelationId(correlationId))
+            {
+                context.TraceIdentifier = correlationId;
+            }
+            else
+            {
+                // Invalid correlation ID - generate a new one
+                context.TraceIdentifier = Guid.NewGuid().ToString("N");
+            }
         }
         else if (string.IsNullOrWhiteSpace(context.TraceIdentifier))
         {
@@ -27,4 +39,25 @@ public sealed class CorrelationIdMiddleware
 
         await _next(context);
     }
+
+    private static bool IsValidCorrelationId(string value)
+    {
+        // Enforce length limit
+        if (value.Length > MaxCorrelationIdLength)
+        {
+            return false;
+        }
+
+        // Check for valid characters (alphanumeric, dashes, underscores)
+        // Reject control characters, line breaks, and other potentially dangerous chars
+        foreach (var c in value)
+        {
+            if (!char.IsLetterOrDigit(c) && c != '-' && c != '_' && c != '.')
+            {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }