open-telemetry
/
opentelemetry-go
mirror of https://github.com/open-telemetry/opentelemetry-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(baggage): validate chars panic with 0x80 (#5494) 

The validation rule for baggage key/values chars has a N+1 problem with
the unicode value: `0x80`.

For instance, `baggage.NewMemberRaw` could be called with a string value
including the rune `128` and return no error.

Then `baggage.New` would panic on `validateValueChar`:
```
=== RUN   TestValidateValueChar
--- FAIL: TestValidateValueChar (0.00s)
panic: runtime error: index out of range [128] with length 128 [recovered]
	panic: runtime error: index out of range [128] with length 128
```

---------

Co-authored-by: Sam Xie <sam@samxie.me>
This commit is contained in:
Fabio Bozzo 2024-06-17 18:03:57 +02:00 committed by GitHub
parent e451d1fa3c
commit 478f85bb15
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -38,6 +38,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
- Document instrument name requirements in `go.opentelemetry.io/otel/metric`. (#5435)
- Prevent random number generation data-race for experimental rand exemplars in `go.opentelemetry.io/otel/sdk/metric`. (#5456)
- Fix counting number of dropped attributes of `Record` in `go.opentelemetry.io/otel/sdk/log`. (#5464)
- Fix panic in baggage creation when a member contains 0x80 char in key or value. (#5494)
## [1.27.0/0.49.0/0.3.0] 2024-05-21

4
baggage/baggage.go
View File

@ -735,7 +735,7 @@ func validateKey(s string) bool {
}
func validateKeyChar(c int32) bool {
return c >= 0 && c <= int32(utf8.RuneSelf) && safeKeyCharset[c]
return c >= 0 && c < int32(utf8.RuneSelf) && safeKeyCharset[c]
}
func validateValue(s string) bool {
@ -850,7 +850,7 @@ var safeValueCharset = [utf8.RuneSelf]bool{
}
func validateValueChar(c int32) bool {
return c >= 0 && c <= int32(utf8.RuneSelf) && safeValueCharset[c]
return c >= 0 && c < int32(utf8.RuneSelf) && safeValueCharset[c]
}
// valueEscape escapes the string so it can be safely placed inside a baggage value,

4
baggage/baggage_test.go
View File

@ -31,7 +31,7 @@ func TestValidateKeyChar(t *testing.T) {
'\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17',
'\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', ' ',
'(', ')', '<', '>', '@', ',', ';', ':', '\\', '"', '/', '[', ']', '?',
'=', '{', '}', '\x7F', 2 >> 20,
'=', '{', '}', '\x7F', 2 >> 20, '\x80',
}
for _, ch := range invalidKeyRune {
@ -46,7 +46,7 @@ func TestValidateValueChar(t *testing.T) {
'\x08', '\x09', '\x0A', '\x0B', '\x0C', '\x0D', '\x0E', '\x0F',
'\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17',
'\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', ' ',
'"', ',', ';', '\\', '\x7F',
'"', ',', ';', '\\', '\x7F', '\x80',
}
for _, ch := range invalidValueRune {