fix: truncate baggage/tag values to prevent metrics cardinality explosion

[SajanGhimire1]

Problem

SendActivityMetric() writes W3C baggage header values
directly into metrics tag dimensions without any length
validation:

// Before fix — no length check
tagList.Add(dimension, baggageItem);

In distributed systems, baggage propagates across service
boundaries via HTTP headers. If baggage values are externally
controlled (e.g. user-supplied correlation IDs), each unique
value creates a new permanent time series in the metrics backend.

This can cause:

• Metrics cardinality explosion
• Metrics backend memory exhaustion
• Loss of observability (alerts stop firing)
• Unexpected Azure Monitor cost spikes

Same class of issue as GHSA-rcjv-mgp8-qvmr in
OpenTelemetry-Go, which was assigned a CVE.

Fix

Added MaxMetricTagValueLength = 256 constant and truncate
both baggage values and tag object values before writing
to metrics dimensions.

// After fix — length capped
tagList.Add(dimension, baggageItem.Length > MaxMetricTagValueLength
    ? baggageItem[..MaxMetricTagValueLength]
    : baggageItem);

Impact of Fix

• Prevents unbounded time series growth
• Preserves legitimate low-cardinality usage
• No breaking change to existing behavior

References

• GHSA-rcjv-mgp8-qvmr (same class, OpenTelemetry-Go)
• CWE-400: Uncontrolled Resource Consumption
• https://opentelemetry.io/docs/languages/dotnet/metrics/best-practices/

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds defensive truncation for Activity baggage/tag values before emitting metric dimensions to help reduce risk from unbounded external inputs.

Changes:

• Introduced MaxMetricTagValueLength constant for tag value length limits
• Truncated W3C baggage-derived metric tag values before adding to TagList
• Converted Activity tag values to strings and truncated before adding to TagList