From 1bea33793f68013a6162474640c9c417c843d597 Mon Sep 17 00:00:00 2001 From: Fabio Bozzo Date: Thu, 6 Jun 2024 11:25:43 +0200 Subject: [PATCH 1/3] fix(baggage): validate chars panic with 0x80 --- baggage/baggage.go | 4 ++-- baggage/baggage_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/baggage/baggage.go b/baggage/baggage.go index f98c54a3cba..275b0925899 100644 --- a/baggage/baggage.go +++ b/baggage/baggage.go @@ -735,7 +735,7 @@ func validateKey(s string) bool { } func validateKeyChar(c int32) bool { - return c >= 0 && c <= int32(utf8.RuneSelf) && safeKeyCharset[c] + return c >= 0 && c < int32(utf8.RuneSelf) && safeKeyCharset[c] } func validateValue(s string) bool { @@ -850,7 +850,7 @@ var safeValueCharset = [utf8.RuneSelf]bool{ } func validateValueChar(c int32) bool { - return c >= 0 && c <= int32(utf8.RuneSelf) && safeValueCharset[c] + return c >= 0 && c < int32(utf8.RuneSelf) && safeValueCharset[c] } // valueEscape escapes the string so it can be safely placed inside a baggage value, diff --git a/baggage/baggage_test.go b/baggage/baggage_test.go index 9ed18791acf..30150e4f92d 100644 --- a/baggage/baggage_test.go +++ b/baggage/baggage_test.go @@ -31,7 +31,7 @@ func TestValidateKeyChar(t *testing.T) { '\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17', '\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', ' ', '(', ')', '<', '>', '@', ',', ';', ':', '\\', '"', '/', '[', ']', '?', - '=', '{', '}', '\x7F', 2 >> 20, + '=', '{', '}', '\x7F', 2 >> 20, '\x80', } for _, ch := range invalidKeyRune { @@ -46,7 +46,7 @@ func TestValidateValueChar(t *testing.T) { '\x08', '\x09', '\x0A', '\x0B', '\x0C', '\x0D', '\x0E', '\x0F', '\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17', '\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', ' ', - '"', ',', ';', '\\', '\x7F', + '"', ',', ';', '\\', '\x7F', '\x80', } for _, ch := range invalidValueRune { From d511ef04c396e48a9605830dcdc0ba7cfce7d230 Mon Sep 17 00:00:00 2001 From: Fabio Bozzo Date: Thu, 13 Jun 2024 11:00:10 +0200 Subject: [PATCH 2/3] add CHANGELOG.md entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 245f4cffa4b..b7efb6af962 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -478,6 +478,7 @@ This release drops the compatibility guarantee of [Go 1.19]. - Do not append `_total` if the counter already has that suffix for the Prometheus exproter in `go.opentelemetry.io/otel/exporter/prometheus`. (#4373) - Fix resource detection data race in `go.opentelemetry.io/otel/sdk/resource`. (#4409) - Use the first-seen instrument name during instrument name conflicts in `go.opentelemetry.io/otel/sdk/metric`. (#4428) +- Fix panic in baggage creation when a member contains 0x80 char in key or value. (#5494) ### Deprecated From 7416cd73e1eb75940a5db5f85d0ff53e6be5d7ba Mon Sep 17 00:00:00 2001 From: Fabio Bozzo Date: Mon, 17 Jun 2024 17:53:55 +0200 Subject: [PATCH 3/3] move CHANGELOG.md entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7efb6af962..bc3b59fa364 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm - Document instrument name requirements in `go.opentelemetry.io/otel/metric`. (#5435) - Prevent random number generation data-race for experimental rand exemplars in `go.opentelemetry.io/otel/sdk/metric`. (#5456) - Fix counting number of dropped attributes of `Record` in `go.opentelemetry.io/otel/sdk/log`. (#5464) +- Fix panic in baggage creation when a member contains 0x80 char in key or value. (#5494) ## [1.27.0/0.49.0/0.3.0] 2024-05-21 @@ -478,7 +479,6 @@ This release drops the compatibility guarantee of [Go 1.19]. - Do not append `_total` if the counter already has that suffix for the Prometheus exproter in `go.opentelemetry.io/otel/exporter/prometheus`. (#4373) - Fix resource detection data race in `go.opentelemetry.io/otel/sdk/resource`. (#4409) - Use the first-seen instrument name during instrument name conflicts in `go.opentelemetry.io/otel/sdk/metric`. (#4428) -- Fix panic in baggage creation when a member contains 0x80 char in key or value. (#5494) ### Deprecated