Improve SentryTraceHeader constructor parameter validation #4604
Conversation
alexander-alderman-webb
requested review from
adinauer,
romtsn,
stefanosiano,
markushi and
lcian
as code owners
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Performance metrics 🚀
|
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| 38c63b5 | 414.92 ms | 431.77 ms | 16.85 ms |
| 75111c8 | 414.61 ms | 448.59 ms | 33.98 ms |
App size
| Revision | Plain | With Sentry | Diff |
|---|---|---|---|
| 38c63b5 | 1.58 MiB | 2.09 MiB | 521.57 KiB |
| 75111c8 | 1.58 MiB | 2.09 MiB | 521.57 KiB |
There was a problem hiding this comment.
Overall looks good to me, please see the comments.
I've noticed that in the constructor of SentryId there's a case where we would throw a more specific exception about the format of the UUID, but it also mentions that UUIDs could be formatted with dashes which is not true in this particular case as the spec states that the trace id should be exactly 32 hex characters, so I think this approach is fine.
| final Pattern SENTRY_TRACEPARENT_HEADER_REGEX = | ||
| Pattern.compile( | ||
| "^[ \\t]*(?<traceId>[0-9a-f]{32})-(?<spanId>[0-9a-f]{16})(?<sampled>-[01])?[ \\t]*$", | ||
| Pattern.CASE_INSENSITIVE); |
There was a problem hiding this comment.
| final Pattern SENTRY_TRACEPARENT_HEADER_REGEX = | |
| Pattern.compile( | |
| "^[ \\t]*(?<traceId>[0-9a-f]{32})-(?<spanId>[0-9a-f]{16})(?<sampled>-[01])?[ \\t]*$", | |
| Pattern.CASE_INSENSITIVE); | |
| private static final Pattern SENTRY_TRACEPARENT_HEADER_REGEX = | |
| Pattern.compile( | |
| "^[ \\t]*(?<traceId>[0-9a-f]{32})-(?<spanId>[0-9a-f]{16})(?<sampled>-[01])?[ \\t]*$", | |
| Pattern.CASE_INSENSITIVE); |
We can make it static so we're only going to compile it once, as compiling could be expensive. Otherwise, without static we would potentially compile the regex for each incoming request.
There was a problem hiding this comment.
Yes great point. Addressed this.
📜 Description
Use similar, regex-based, validation logic to the PHP SDK for the sentry-trace HTTP header: https://github.com/getsentry/sentry-php/blob/master/src/Tracing/TransactionContext.php#L9
#skip-changelog
💡 Motivation and Context
💚 How did you test it?
Added test cases with malformed arguments, which would have caused errors later on previously. These include tests with IDs that are too short or too long, and IDs with invalid characters.
📝 Checklist
sendDefaultPIIis enabled.🔮 Next steps