fix: reject traceparent headers with unsupported versions

dmehala · dmehala · commit 32466a89dd37 · 2025-09-10T11:37:38.000+02:00
This addresses a regression introduced in #178, where traceparent headers containing unsupported characters were not properly rejected and were incorrectly treated as valid. [APMAPI-1599]
diff --git a/src/datadog/w3c_propagation.cpp b/src/datadog/w3c_propagation.cpp
@@ -33,6 +33,11 @@ auto verboten(int lowest_ascii, int highest_ascii,
   };
 }
 
+constexpr bool is_hexdiglc(const char c) {
+  return (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
+         (c >= 'A' && c <= 'F');
+}
+
 // Populate the specified `result` with data extracted from the "traceparent"
 // entry of the specified `headers`. Return `nullopt` on success. Return a value
 // for the `tags::internal::w3c_extraction_error` tag if an error occurs.
@@ -59,6 +64,8 @@ Optional<std::string> extract_traceparent(ExtractedData& result,
 
           beg = i + 1;
           internal_state = state::trace_id;
+        } else if (!is_hexdiglc(traceparent[i])) {
+          return "invalid_version";
         }
       } break;
 
diff --git a/test/test_tracer.cpp b/test/test_tracer.cpp
@@ -1191,6 +1191,31 @@ TEST_TRACER("span extraction") {
             nullopt,
             "0000000000000000",  // expected_datadog_w3c_parent_id,
         },
+
+        {
+            __LINE__,
+            "malformed traceparent 1/x",
+            ".0-12345678901234567890123456789012-1234567890123456-01",
+            nullopt,
+            nullopt,
+            nullopt,
+            {},
+            nullopt,
+            nullopt,
+            nullopt,
+        },
+        {
+            __LINE__,
+            "malformed traceparent 1/x",
+            "0.-12345678901234567890123456789012-1234567890123456-01",
+            nullopt,
+            nullopt,
+            nullopt,
+            {},
+            nullopt,
+            nullopt,
+            nullopt,
+        },
     }));
 
     CAPTURE(test_case.name);
@@ -1225,7 +1250,6 @@ TEST_TRACER("span extraction") {
             test_case.expected_datadog_w3c_parent_id);
 
     REQUIRE(logger.entries.empty());
-    REQUIRE(span_tags.empty());
   }
 
   SECTION("W3C Phase 3 support - Preferring tracecontext") {
