Add regexes to check keys and values

ocelotl · ocelotl · commit 82ea1998927d · 2021-08-03T16:54:58.000-06:00
Fixes open-telemetry#2010
diff --git a/opentelemetry-api/src/opentelemetry/baggage/propagation/__init__.py b/opentelemetry-api/src/opentelemetry/baggage/propagation/__init__.py
@@ -14,12 +14,19 @@
 #
 import typing
 import urllib.parse
+from re import compile as compile_
 
 from opentelemetry import baggage
 from opentelemetry.context import get_current
 from opentelemetry.context.context import Context
 from opentelemetry.propagators import textmap
 
+_key = r"[!#-'*+-.0-9A-Z^-z|~]+"
+_key_regex = compile_(_key)
+_value = r"[!#-+.-:<-\[\]-~-]*"
+_value_regex = compile_(_value)
+_key_value_regex = compile_(r"\s*{}\s*=\s*{}\s*".format(_key, _value))
+
 
 class W3CBaggagePropagator(textmap.TextMapPropagator):
     """Extracts and injects Baggage which is used to annotate telemetry."""
@@ -54,7 +61,10 @@ def extract(
         baggage_entries = header.split(",")
         total_baggage_entries = self._MAX_PAIRS
         for entry in baggage_entries:
-            if total_baggage_entries <= 0:
+
+            if _key_value_regex.match(entry) is None or (
+                total_baggage_entries <= 0
+            ):
                 return context
             total_baggage_entries -= 1
             if len(entry) > self._MAX_PAIR_LENGTH:
@@ -95,11 +105,18 @@ def fields(self) -> typing.Set[str]:
         return {self._BAGGAGE_HEADER_NAME}
 
 
-def _format_baggage(baggage_entries: typing.Mapping[str, object]) -> str:
-    return ",".join(
-        key + "=" + urllib.parse.quote_plus(str(value))
-        for key, value in baggage_entries.items()
-    )
+def _format_baggage(baggage_entries: typing.Mapping[str, str]) -> str:
+
+    key_values = []
+
+    for key, value in baggage_entries.items():
+
+        if _key_regex.match(key) is None or _value_regex.match(value) is None:
+            continue
+
+        key_values.append(key + "=" + urllib.parse.quote(str(value)))
+
+    return ",".join(key_values)
 
 
 def _extract_first_element(
diff --git a/opentelemetry-api/tests/baggage/test_baggage_propagation.py b/opentelemetry-api/tests/baggage/test_baggage_propagation.py
@@ -79,9 +79,8 @@ def test_valid_header_with_empty_value(self):
         self.assertEqual(self._extract(header), expected)
 
     def test_invalid_header(self):
-        header = "header1"
-        expected = {}
-        self.assertEqual(self._extract(header), expected)
+        self.assertEqual(self._extract("header1"), {})
+        self.assertEqual(self._extract(" = "), {})
 
     def test_header_too_long(self):
         long_value = "s" * (W3CBaggagePropagator._MAX_HEADER_LENGTH + 1)
@@ -111,6 +110,9 @@ def test_inject_no_baggage_entries(self):
         output = self._inject(values)
         self.assertEqual(None, output)
 
+    def test_inject_invalid_entries(self):
+        self.assertEqual(None, self._inject({"key": "val ue"}))
+
     def test_inject(self):
         values = {
             "key1": "val1",
