From 32466a89dd37cfcbd23f541bd66b9b28c867f4e0 Mon Sep 17 00:00:00 2001 From: Damien MEHALA Date: Wed, 10 Sep 2025 11:31:53 +0200 Subject: [PATCH 1/2] fix: reject traceparent headers with unsupported versions This addresses a regression introduced in #178, where traceparent headers containing unsupported characters were not properly rejected and were incorrectly treated as valid. [APMAPI-1599] --- src/datadog/w3c_propagation.cpp | 7 +++++++ test/test_tracer.cpp | 26 +++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/src/datadog/w3c_propagation.cpp b/src/datadog/w3c_propagation.cpp index 28e7f341..dac6753f 100644 --- a/src/datadog/w3c_propagation.cpp +++ b/src/datadog/w3c_propagation.cpp @@ -33,6 +33,11 @@ auto verboten(int lowest_ascii, int highest_ascii, }; } +constexpr bool is_hexdiglc(const char c) { + return (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || + (c >= 'A' && c <= 'F'); +} + // Populate the specified `result` with data extracted from the "traceparent" // entry of the specified `headers`. Return `nullopt` on success. Return a value // for the `tags::internal::w3c_extraction_error` tag if an error occurs. @@ -59,6 +64,8 @@ Optional extract_traceparent(ExtractedData& result, beg = i + 1; internal_state = state::trace_id; + } else if (!is_hexdiglc(traceparent[i])) { + return "invalid_version"; } } break; diff --git a/test/test_tracer.cpp b/test/test_tracer.cpp index ab53bf16..f65348cd 100644 --- a/test/test_tracer.cpp +++ b/test/test_tracer.cpp @@ -1191,6 +1191,31 @@ TEST_TRACER("span extraction") { nullopt, "0000000000000000", // expected_datadog_w3c_parent_id, }, + + { + __LINE__, + "malformed traceparent 1/x", + ".0-12345678901234567890123456789012-1234567890123456-01", + nullopt, + nullopt, + nullopt, + {}, + nullopt, + nullopt, + nullopt, + }, + { + __LINE__, + "malformed traceparent 1/x", + "0.-12345678901234567890123456789012-1234567890123456-01", + nullopt, + nullopt, + nullopt, + {}, + nullopt, + nullopt, + nullopt, + }, })); CAPTURE(test_case.name); @@ -1225,7 +1250,6 @@ TEST_TRACER("span extraction") { test_case.expected_datadog_w3c_parent_id); REQUIRE(logger.entries.empty()); - REQUIRE(span_tags.empty()); } SECTION("W3C Phase 3 support - Preferring tracecontext") { From 071b25b60735bfdbf83b4cb1a63cc669e4e7c087 Mon Sep 17 00:00:00 2001 From: Damien Mehala Date: Mon, 22 Sep 2025 10:41:41 +0200 Subject: [PATCH 2/2] address zach comments --- test/test_tracer.cpp | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/test/test_tracer.cpp b/test/test_tracer.cpp index f65348cd..d5ff0cc2 100644 --- a/test/test_tracer.cpp +++ b/test/test_tracer.cpp @@ -755,6 +755,19 @@ TEST_TRACER("span extraction") { {__LINE__, "invalid: non hex trace tag ID", "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-xy", // traceparent "malformed_traceflags"}, // expected_error_tag_value + + { + __LINE__, + "invalid: non supported character in trace version 1/x", + ".0-12345678901234567890123456789012-1234567890123456-01", + "invalid_version", + }, + { + __LINE__, + "invalid: non supported character in trace version 2/x", + "0.-12345678901234567890123456789012-1234567890123456-01", + "invalid_version" + }, })); // clang-format on @@ -1191,31 +1204,6 @@ TEST_TRACER("span extraction") { nullopt, "0000000000000000", // expected_datadog_w3c_parent_id, }, - - { - __LINE__, - "malformed traceparent 1/x", - ".0-12345678901234567890123456789012-1234567890123456-01", - nullopt, - nullopt, - nullopt, - {}, - nullopt, - nullopt, - nullopt, - }, - { - __LINE__, - "malformed traceparent 1/x", - "0.-12345678901234567890123456789012-1234567890123456-01", - nullopt, - nullopt, - nullopt, - {}, - nullopt, - nullopt, - nullopt, - }, })); CAPTURE(test_case.name); @@ -1250,6 +1238,7 @@ TEST_TRACER("span extraction") { test_case.expected_datadog_w3c_parent_id); REQUIRE(logger.entries.empty()); + REQUIRE(span_tags.empty()); } SECTION("W3C Phase 3 support - Preferring tracecontext") {