fix(baggage): validate chars panic with 0x80 (#5494)

The validation rule for baggage key/values chars has a N+1 problem with the unicode value: `0x80`. For instance, `baggage.NewMemberRaw` could be called with a string value including the rune `128` and return no error. Then `baggage.New` would panic on `validateValueChar`: ``` === RUN TestValidateValueChar --- FAIL: TestValidateValueChar (0.00s) panic: runtime error: index out of range [128] with length 128 [recovered] panic: runtime error: index out of range [128] with length 128 ``` --------- Co-authored-by: Sam Xie <sam@samxie.me>
open-telemetry · Jun 17, 2024 · 478f85b · 478f85b
1 parent e451d1f
commit 478f85b
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -38,6 +38,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - Document instrument name requirements in `go.opentelemetry.io/otel/metric`. (#5435)
 - Prevent random number generation data-race for experimental rand exemplars in `go.opentelemetry.io/otel/sdk/metric`. (#5456)
 - Fix counting number of dropped attributes of `Record` in `go.opentelemetry.io/otel/sdk/log`. (#5464)
+- Fix panic in baggage creation when a member contains 0x80 char in key or value. (#5494)
 
 ## [1.27.0/0.49.0/0.3.0] 2024-05-21
 

diff --git a/baggage/baggage.go b/baggage/baggage.go
@@ -735,7 +735,7 @@ func validateKey(s string) bool {
 }
 
 func validateKeyChar(c int32) bool {
-	return c >= 0 && c <= int32(utf8.RuneSelf) && safeKeyCharset[c]
+	return c >= 0 && c < int32(utf8.RuneSelf) && safeKeyCharset[c]
 }
 
 func validateValue(s string) bool {
@@ -850,7 +850,7 @@ var safeValueCharset = [utf8.RuneSelf]bool{
 }
 
 func validateValueChar(c int32) bool {
-	return c >= 0 && c <= int32(utf8.RuneSelf) && safeValueCharset[c]
+	return c >= 0 && c < int32(utf8.RuneSelf) && safeValueCharset[c]
 }
 
 // valueEscape escapes the string so it can be safely placed inside a baggage value,

diff --git a/baggage/baggage_test.go b/baggage/baggage_test.go
@@ -31,7 +31,7 @@ func TestValidateKeyChar(t *testing.T) {
 		'\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17',
 		'\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', ' ',
 		'(', ')', '<', '>', '@', ',', ';', ':', '\\', '"', '/', '[', ']', '?',
-		'=', '{', '}', '\x7F', 2 >> 20,
+		'=', '{', '}', '\x7F', 2 >> 20, '\x80',
 	}
 
 	for _, ch := range invalidKeyRune {
@@ -46,7 +46,7 @@ func TestValidateValueChar(t *testing.T) {
 		'\x08', '\x09', '\x0A', '\x0B', '\x0C', '\x0D', '\x0E', '\x0F',
 		'\x10', '\x11', '\x12', '\x13', '\x14', '\x15', '\x16', '\x17',
 		'\x18', '\x19', '\x1A', '\x1B', '\x1C', '\x1D', '\x1E', '\x1F', ' ',
-		'"', ',', ';', '\\', '\x7F',
+		'"', ',', ';', '\\', '\x7F', '\x80',
 	}
 
 	for _, ch := range invalidValueRune {