nic-6443 commented on code in PR #12990:
URL: https://github.com/apache/apisix/pull/12990#discussion_r3393077315
##########
apisix/plugins/opentelemetry.lua:
##########
@@ -232,9 +253,24 @@ end
local function create_tracer_obj(conf, plugin_info)
if plugin_info.trace_id_source == "x-request-id" then
- id_generator.new_ids = function()
- local trace_id = core.request.headers()["x-request-id"] or
ngx_var.request_id
- return trace_id, id_generator.new_span_id()
+ if not id_generator._wrapped then
+ local _original_new_ids = id_generator.new_ids
+
+ id_generator.new_ids = function()
+ local trace_id = core.request.headers()["x-request-id"]
+ or ngx_var.request_id
+
+ trace_id = trace_id and string_lower(trace_id)
Review Comment:
A duplicated `X-Request-Id` header still crashes this:
`core.request.headers()` is `ngx.req.get_headers()`, which returns a Lua table
when the same header appears more than once, so `string_lower(trace_id)` throws
`bad argument`. And since plugin phase handlers are not pcall-wrapped, that
error now fails the request with a 500 on every such request (before this patch
the same input crashed asynchronously in the export timer). Given the whole
point of this fix is to validate untrusted header input, it should survive this
case too — a `type(trace_id) ~= "string"` check (e.g. at the top of
`is_valid_trace_id`, before any `string_lower`) would cover it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
