From 2e0014d39fce13145b4b32a1a8cba6c6512d5b9f Mon Sep 17 00:00:00 2001 From: Fabio Bozzo Date: Mon, 17 Jun 2024 18:03:57 +0200 Subject: [PATCH] fix(baggage): validate chars panic with 0x80 (#5494) The validation rule for baggage key/values chars has a N+1 problem with the unicode value: `0x80`. For instance, `baggage.NewMemberRaw` could be called with a string value including the rune `128` and return no error. Then `baggage.New` would panic on `validateValueChar`: ``` === RUN TestValidateValueChar --- FAIL: TestValidateValueChar (0.00s) panic: runtime error: index out of range [128] with length 128 [recovered] panic: runtime error: index out of range [128] with length 128 ``` --------- Co-authored-by: Sam Xie --- CHANGELOG.md | 1 + baggage/baggage.go | 4 ++-- baggage/baggage_test.go | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2cdcaad1f902..47c000336a39 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -39,6 +39,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm - Prevent random number generation data-race for experimental rand exemplars in `go.opentelemetry.io/otel/sdk/metric`. (#5456) - Fix counting number of dropped attributes of `Record` in `go.opentelemetry.io/otel/sdk/log`. (#5464) - Run the `Detect` method in `go.opentelemetry.io/otel/sdk/resource` in parallel. (#5402) +- Fix panic in baggage creation when a member contains 0x80 char in key or value. (#5494) ## [1.27.0/0.49.0/0.3.0] 2024-05-21 diff --git a/baggage/baggage.go b/baggage/baggage.go index f98c54a3cbab..275b09258991 100644 --- a/baggage/baggage.go +++ b/baggage/baggage.go @@ -735,7 +735,7 @@ func validateKey(s string) bool { } func validateKeyChar(c int32) bool { - return c >= 0 && c <= int32(utf8.RuneSelf) && safeKeyCharset[c] + return c >= 0 && c < int32(utf8.RuneSelf) && safeKeyCharset[c] } func validateValue(s string) bool { @@ -850,7 +850,7 @@ var safeValueCharset = [utf8.RuneSelf]bool{ } func validateValueChar(c int32) bool { - return c >= 0 && c <= int32(utf8.RuneSelf) && safeValueCharset[c] + return c >= 0 && c < int32(utf8.RuneSelf) && safeValueCharset[c] } // valueEscape escapes the string so it can be safely placed inside a baggage value, diff --git a/baggage/baggage_test.go b/baggage/baggage_test.go index 9ed18791acf4..30150e4f92d5 100644 --- a/baggage/baggage_test.go +++ b/baggage/baggage_test.go @@ -31,7 +31,7 @@ func TestValidateKeyChar(t *testing.T) { '\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17', '\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', ' ', '(', ')', '<', '>', '@', ',', ';', ':', '\\', '"', '/', '[', ']', '?', - '=', '{', '}', '\x7F', 2 >> 20, + '=', '{', '}', '\x7F', 2 >> 20, '\x80', } for _, ch := range invalidKeyRune { @@ -46,7 +46,7 @@ func TestValidateValueChar(t *testing.T) { '\x08', '\x09', '\x0A', '\x0B', '\x0C', '\x0D', '\x0E', '\x0F', '\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17', '\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', ' ', - '"', ',', ';', '\\', '\x7F', + '"', ',', ';', '\\', '\x7F', '\x80', } for _, ch := range invalidValueRune {