Add DashboardController with bounds-checked User-Agent parsing

[Copilot]

Implements admin dashboard endpoint to resolve P1 incident Q27IUX3O3X3EKP where malformed User-Agent strings caused IndexOutOfRangeException.

Implementation

New Controller: DashboardController

• /api/Dashboard/admin - Main endpoint with safe User-Agent extraction
• /api/Dashboard/health - Health check endpoint

Parsing Logic: ExtractCriticalSegment()

• Null/empty string validation before split
• Explicit bounds check on array access
• Length capping at 100 chars
• Defensive exception handlers for ArgumentOutOfRangeException/ArgumentException
• Returns "Unknown" for unparseable input rather than throwing

Error Handling:

• Generic 500 error messages (no internal details exposed)
• Multi-layer validation: null check → empty array check → trim validation

Test Coverage

14 unit tests covering edge cases:

• Null, empty, whitespace inputs
• Malformed strings (e.g., "///()", "@#$%")
• Length extremes (single char, 10KB strings)
• Common browser User-Agents

// Before: Would throw IndexOutOfRangeException
var segments = userAgent.Split('/');
return segments[0];  // Unsafe

// After: Defensive with fallback
if (segments.Length == 0) return "Unknown";
var segment = segments[0].Trim();
return string.IsNullOrEmpty(segment) ? "Unknown" : segment;

CodeQL: 0 alerts

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Runbook: Incident Q27IUX3O3X3EKP – orchardcorecmsweb2 Admin Page IndexOutOfRangeException</issue_title>
<issue_description>This issue tracks the runbook generated from PagerDuty incident Q27IUX3O3X3EKP and follow-ups for hardening and verification.

Links

• PagerDuty Incident: https://microsoft-sre-agent-test.pagerduty.com/incidents/Q27IUX3O3X3EKP

Incident Summary

• Priority: P1
• Urgency: high
• Title: orchardcorecmsweb2 - IndexOutOfRangeException resulting in Admin Page Breaking
• Created: 2026-01-17T23:05:23Z
• Updated: 2026-02-04T11:07:47Z
• Service: Test Service (PW921HP)
• Status (at time of runbook generation): triggered

Impact

• Admin dashboard became inaccessible for orchardcorecmsweb2 due to an unhandled IndexOutOfRangeException triggered by User-Agent parsing in DashboardController.ExtractCriticalSegment().

Detection / Trigger

• Alert from Security audit system / application errors raised an incident. The exception type and message recorded:
  • Exception Type: IndexOutOfRangeException
  • Message: Index was outside the bounds of the array
  • Source: Security audit system - User-Agent parsing failure
  • Component: DashboardController.ExtractCriticalSegment()
  • Timestamp: 2026-01-17 22:14:56.978

Timeline (key points)

• 2026-01-17 22:14:56.978: Exception thrown during request processing; admin page breaks.
• 2026-01-17 23:05:23Z: Incident created in PagerDuty (P1, high urgency).
• Subsequent: Temporary bypass of User-Agent parsing applied to restore access.
• Subsequent: Bounds checks and robust parsing added; fix deployed.

Root Cause Analysis

• AI-identified root cause: Unvalidated input parsing.
• Parsing logic assumes fixed structure and indexes into arrays/lists without bounds checks. Malformed/unexpected User-Agent strings cause out-of-range access and unhandled exceptions.

Diagnostics Performed

• Reviewed exception logs and component (DashboardController.ExtractCriticalSegment).
• Correlated failures with specific malformed User-Agent strings from the Security audit system context.
• Verified that bypassing the parsing removed the immediate failure.

Mitigation / Remediation Steps

1. Immediate mitigation: Temporarily bypass User-Agent parsing for affected requests to restore admin access.
2. Remediation: Add bounds checks and defensive parsing around array/list access in ExtractCriticalSegment(). Handle malformed or unexpected User-Agent formats gracefully.
3. Deployment: Redeploy the application with the parsing fix.

Verification / Validation

• After fix deployment, verify:
  • No IndexOutOfRangeException occurrences in logs for the component.
  • Admin dashboard loads successfully under various User-Agent inputs, including deliberately malformed cases.
  • Synthetic checks for admin routes succeed.

Current Status

• Incident currently reported as triggered in metadata but notes include a resolution entry; ensure production currently has the robust parsing deployed and monitored.

Follow-ups / Action Items

• Add unit tests covering boundary conditions for User-Agent parsing, including empty, extremely short, and corrupted values. Owner: Backend maintainers. Due: ASAP.
• Add structured validation utilities for request header parsing with length and null checks. Owner: Platform team. Due: ASAP.
• Create synthetic tests for admin endpoints with diverse User-Agent headers. Owner: QA/Testing. Due: ASAP.
• Add dashboards/alerts for exception rates on DashboardController.ExtractCriticalSegment. Owner: SRE/Observability. Due: ASAP.
• Post-incident review to confirm no similar unchecked indexing patterns exist in adjacent parsing code. Owner: Backend maintainers. Due: 1 week.

Notes

• PD note recorded: "Resolution Note: DONE" by Dheeraj Bandaru; reconcile with current deployment status.

Requested Labels

• incident, runbook, pagerduty, P1, cpu-app

Please use this issue to track completion of the follow-ups and link any PRs implementing the parsing fix and tests.

This issue was created by mrsharm-sri1111--3f136ed8
Tracked by the SRE agent here
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Runbook: Incident Q27IUX3O3X3EKP – orchardcorecmsweb2 Admin Page IndexOutOfRangeException #133

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.