Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: enforce w3c trace context value validation #777

Merged
merged 5 commits into from
Dec 5, 2021
Merged

fix: enforce w3c trace context value validation #777

merged 5 commits into from
Dec 5, 2021

Conversation

minherz
Copy link
Contributor

@minherz minherz commented Dec 3, 2021

Validates length and characters of the w3c trace context value. See W3C standard for more details.
Refactor unit testing to bring invalid w3c trace context tests to separate file.

Fixes #774

@minherz
fix: enforce w3c trace context value validation
885b7a9 
validate length and characters of the w3c trace context value.
see https://www.w3.org/TR/trace-context/#traceparent-header-field-values
refactor unit testing to bring invalid w3c trace context tests to separate file

Fixes #774
@minherz minherz requested review from a team as code owners December 3, 2021 18:53
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Dec 3, 2021
@product-auto-label product-auto-label bot added the api: logging Issues related to the googleapis/java-logging API. label Dec 3, 2021
@minherz minherz assigned minherz and unassigned simonz130 Dec 3, 2021
daniel-sanche
daniel-sanche reviewed Dec 3, 2021
View reviewed changes
google-cloud-logging/src/main/java/com/google/cloud/logging/Context.java
throw new IllegalArgumentException("Not supporting versionFormat other than \"00\"");
}
} else {
Matcher validator = W3C_TRACE_CONTEXT_FORMAT.matcher(traceParent.toLowerCase());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if toLowerCase() is needed. The spec says "Vendors MUST ignore the traceparent when the parent-id is invalid (for example, if it contains non-lowercase hex characters)."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not know whether we should be so strict about it. A chance that two different trace ids will be produced that differ only by a specific letter register seems low to me. But this way we can avoid exceptions that interrupt the metadata collection in the library.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use then toUpperCase() to be safe?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My vote would be to just ignore any traceparent headers with invalid characters as the spec suggests, that upper-case "MUST" in the docs seems pretty serious haha.

My interpretation is that header parsing is meant to be farily strict, we're not supposed to alter the fields to make the data fit our expectations. But I'll leave the decision up to you.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with you about the standard. My concern is that ignoring it (or throwing and catching exception on the same account) would be very hard to troubleshoot for application developers. To be a little more liberal on this might prove to be closer to the spirit of the shared library.

@minherz minherz requested a review from daniel-sanche December 3, 2021 20:14
@minherz minherz merged commit 0150655 into main Dec 5, 2021
@minherz minherz deleted the minherz/fix-774 branch December 5, 2021 09:19
minherz pushed a commit that referenced this pull request Jan 4, 2022
@release-please
chore: release 3.5.2 (#779)
013bb50 
enforce w3c trace context value validation (#777) (0150655)
java: add -ntp flag to native image testing command (#1299) (#780) (3f70b62)
Rename LogDestinationName.getId() to LogDestinationName.getDestinationId() (#797) (62e7838)
Rename staleness.critical config parameter to staleness.extraold (#781) (3083bca)

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@losalex losalex losalex left review comments

@daniel-sanche daniel-sanche daniel-sanche approved these changes

Assignees

@minherz minherz

Labels
api: logging Issues related to the googleapis/java-logging API. cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix validation of the W3C trace context header parsing
4 participants
@minherz @daniel-sanche @losalex @simonz130