Fix HttpRequestExtensions.UnvalidatedGetHeader always returning empty string #3126
Merged
rajkumar-rangaraj merged 3 commits intomainfrom Feb 20, 2026
Merged
Fix HttpRequestExtensions.UnvalidatedGetHeader always returning empty string #3126rajkumar-rangaraj merged 3 commits intomainfrom
HttpRequestExtensions.UnvalidatedGetHeader always returning empty string #3126rajkumar-rangaraj merged 3 commits intomainfrom
Conversation
…ty string instead of the actual header value.
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a regression in Microsoft.ApplicationInsights.Web where HttpRequestExtensions.UnvalidatedGetHeader always returned string.Empty, causing callers to bypass ASP.NET’s Unvalidated accessor and lose header max-length enforcement.
Changes:
- Correct
UnvalidatedGetHeaderto return the actual header value and truncate it to a defined maximum length (1024). - Introduce
RequestTrackingConstants.RequestHeaderMaxLengthto centralize the header-length limit. - Add a test validating header truncation behavior and update the changelog.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| WEB/Src/Web/Web/Implementation/RequestTrackingConstants.cs | Adds a shared constant for request header max length. |
| WEB/Src/Web/Web/Implementation/HttpRequestExtensions.cs | Fixes UnvalidatedGetHeader return value and enforces max-length truncation. |
| WEB/Src/Web/Web.Tests/WebTestActivityProcessorTests.cs | Adds a unit test asserting truncation of oversized synthetic test headers. |
| CHANGELOG.md | Adds an Unreleased changelog entry for the fix. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
harsimar
approved these changes
Feb 20, 2026
harsimar
approved these changes
Feb 20, 2026
This was referenced Apr 2, 2026
Open
Closed
Open
This was referenced Apr 12, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #3105
Changes
HttpRequestExtensions.UnvalidatedGetHeaderwas always returningstring.Emptyinstead of the actual header value. This caused all callers (e.g.,WebTestActivityProcessor,ClientIpHeaderActivityProcessor) to fall through to therequest.Headers[...]fallback path, bypassing ASP.NET'sUnvalidatedaccessor.Changes
HttpRequestExtensions.cs— FixedUnvalidatedGetHeaderto return the header value with max-length enforcement (1024 chars), matching the 2.x behavior.RequestTrackingConstants.cs— AddedRequestHeaderMaxLengthconstant.WebTestActivityProcessorTests.cs— Added test verifying header truncation at max length.2.x reference: https://github.com/microsoft/ApplicationInsights-dotnet/blob/2.x/WEB/Src/Web/Web/Implementation/HttpRequestExtensions.cs#L22