Skip to content

Add parsing limits to tracestate and traceparent#5674

Merged
marcotc merged 3 commits into
masterfrom
fix-tracestate
May 6, 2026
Merged

Add parsing limits to tracestate and traceparent#5674
marcotc merged 3 commits into
masterfrom
fix-tracestate

Conversation

@marcotc

@marcotc marcotc commented May 5, 2026

Copy link
Copy Markdown
Member

What does this PR do?

Ensure when parsing the W3C Trace Context propagation headers traceparent and tracestate, ensure they respect our processing limits:

  • traceparent: 512 bytes
  • tracestate: 512 bytes
  • tracestate members: 32 entries

Change log entry

Yes. Add parsing limits to tracestate and traceparent propagation headers and remove whitespace around list members.

How to test the change?

bundle exec rspec spec/datadog/tracing/distributed/trace_context_spec.rb

@marcotc marcotc self-assigned this May 5, 2026
@dd-octo-sts

dd-octo-sts Bot commented May 5, 2026

Copy link
Copy Markdown
Contributor

Thank you for updating Change log entry section 👏

Visited at: 2026-05-05 21:15:41 UTC

@dd-octo-sts dd-octo-sts Bot added the tracing label May 5, 2026
@pr-commenter

pr-commenter Bot commented May 5, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-05-06 21:44:52

Comparing candidate commit afff006 in PR branch fix-tracestate with baseline commit 3619470 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 1 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@marcotc
marcotc marked this pull request as ready for review May 5, 2026 21:15
@marcotc
marcotc requested review from a team as code owners May 5, 2026 21:15
@marcotc
marcotc requested review from mabdinur and removed request for a team May 5, 2026 21:15

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e906c78244

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread lib/datadog/tracing/distributed/trace_context.rb Outdated
Comment thread sig/datadog/tracing/distributed/trace_context.rbs Outdated

@p-datadog p-datadog left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick (non-blocking): mention the OWS normalization in the changelog

Beyond the size limits, the rewrite changes trace_state to be whitespace-normalized: "v=1, v2=2 " extracts as "v=1,v2=2" because vendors.each(&:strip!) then vendors.join(',') reconstructs without OWS. More spec-compliant (W3C says OWS in tracestate is allowed but not significant), but it's customer-observable for any service inspecting digest.trace_state after extraction. The current changelog entry covers parsing limits — extending it to "Add parsing limits and normalize OWS in tracestate propagation headers" would catch this side effect.

Side note: String#strip removes \n, \v, \f, \r in addition to space and tab. The W3C OWS pattern is space and HTAB only. Not a security issue (those chars are malformed input anyway), but stricter than the spec calls for.

@p-datadog

Copy link
Copy Markdown
Member

suggestion (non-blocking): short-circuit on invalid encoding before split

At lib/datadog/tracing/distributed/trace_context.rb, split_tracestate (the return unless tracestate line):

The byteslice+chop pattern fixes the codex-flagged truncation case, but invalid UTF-8 input under the byte limit still hits split(',', 33) and raises ArgumentError: invalid byte sequence in UTF-8. Propagation#extract's rescue catches it, so the request continues — but each invalid-tracestate request emits a logger.error. A short-circuit at the top keeps that path quiet and aligns with the W3C spec, which requires tracestate to be ASCII-only.

return unless tracestate
return unless tracestate.valid_encoding?

valid_encoding? returns true for ASCII-8BIT regardless of byte values, so Rack's typical binary headers are unaffected. It only catches UTF-8-tagged-but-actually-invalid input.

@marcotc

marcotc commented May 6, 2026

Copy link
Copy Markdown
Member Author

Beyond the size limits, the rewrite changes trace_state to be whitespace-normalized: "v=1, v2=2 " extracts as "v=1,v2=2" because vendors.each(&:strip!) then vendors.join(',') reconstructs without OWS. More spec-compliant (W3C says OWS in tracestate is allowed but not significant), but it's customer-observable for any service inspecting digest.trace_state after extraction. The current changelog entry covers parsing limits — extending it to "Add parsing limits and normalize OWS in tracestate propagation headers" would catch this side effect.

@p-datadog Added the whitespace changes to the changelog. Thank you!

@marcotc

marcotc commented May 6, 2026

Copy link
Copy Markdown
Member Author

but invalid UTF-8 input under the byte limit still hits split(',', 33)

@p-datadog This came up on every step of these changes, and I chose not to address these immediately because they don't seem to be reported errors today, and a proper fix likely requires pervasive inspection of all the HTTP header code flow to know the best place to implement a UTF-8 validation/normalization.

Base automatically changed from fix-baggage to master May 6, 2026 20:44
@dd-octo-sts

dd-octo-sts Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

Typing analysis

Note: Ignored files are excluded from the next sections.

Untyped methods

This PR introduces 3 partially typed methods, and clears 3 partially typed methods.

Partially typed methods (+3-3)Introduced:
sig/datadog/tracing/distributed/baggage.rbs:18
└── def initialize: (fetcher: untyped, ?baggage_key: ::String, ?baggage_tag_keys: untyped) -> void
sig/datadog/tracing/distributed/baggage.rbs:20
└── def inject!: (untyped digest, untyped data) -> (nil | untyped)
sig/datadog/tracing/distributed/baggage.rbs:22
└── def extract: (untyped data) -> TraceDigest?
Cleared:
sig/datadog/tracing/distributed/baggage.rbs:16
└── def initialize: (fetcher: untyped, ?baggage_key: ::String, ?baggage_tag_keys: untyped) -> void
sig/datadog/tracing/distributed/baggage.rbs:18
└── def inject!: (untyped digest, untyped data) -> (nil | untyped)
sig/datadog/tracing/distributed/baggage.rbs:20
└── def extract: (untyped data) -> (nil | untyped)

If you believe a method or an attribute is rightfully untyped or partially typed, you can add # untyped:accept on the line before the definition to remove it from the stats.

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented May 6, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 97.22% (+0.00%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: afff006 | Docs | Datadog PR Page | Give us feedback!

@marcotc
marcotc merged commit eae7228 into master May 6, 2026
585 checks passed
@marcotc
marcotc deleted the fix-tracestate branch May 6, 2026 22:01
@dd-octo-sts dd-octo-sts Bot added this to the 2.32.0 milestone May 6, 2026
@marcotc marcotc mentioned this pull request May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants