wip

jandro996 · jandro996 · commit 6af0ef3334f7 · 2025-08-06T12:00:02.000+02:00
diff --git a/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/http/ClientIpAddressResolver.java b/dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/http/ClientIpAddressResolver.java
@@ -204,108 +204,95 @@ enum ForwardedParseState {
 
     @Override
     public InetAddress apply(String headerValue) {
+      InetAddress resultPrivate = null;
+      ForwardedParseState state = ForwardedParseState.BETWEEN;
+
+      // https://datatracker.ietf.org/doc/html/rfc7239#section-4
+      int pos = 0;
       int end = headerValue.length();
-      int entryEnd = end;
-      // Parse entries right-to-left, separated by ','
-      for (int i = end - 1; i >= -1; i--) {
-        if (i == -1 || headerValue.charAt(i) == ',') {
-          int entryStart = i + 1;
-          // skip leading spaces
-          while (entryStart < entryEnd && headerValue.charAt(entryStart) == ' ') {
-            entryStart++;
-          }
-          String entry = headerValue.substring(entryStart, entryEnd);
-          InetAddress resultPrivate = null;
-          ForwardedParseState state = ForwardedParseState.BETWEEN;
-          // https://datatracker.ietf.org/doc/html/rfc7239#section-4
-          int pos = 0;
-          int entryLen = entry.length();
-          // compiler requires that these two be initialized:
-          int start = 0;
-          boolean considerValue = false;
-          while (pos < entryLen) {
-            char c = entry.charAt(pos);
-            switch (state) {
-              case BETWEEN:
-                if (c == ' ' || c == ';' || c == ',') {
-                  break;
-                }
-                start = pos;
-                state = ForwardedParseState.KEY;
-                break;
-              case KEY:
-                if (c != '=') {
-                  break;
-                }
-                state = ForwardedParseState.BEFORE_VALUE;
-                if (pos - start == 3) {
-                  String key = entry.substring(start, pos);
-                  considerValue = key.equalsIgnoreCase("for");
-                } else {
-                  considerValue = false;
-                }
-                break;
-              case BEFORE_VALUE:
-                if (c == '"') {
-                  start = pos + 1;
-                  state = ForwardedParseState.VALUE_QUOTED;
-                } else if (c == ' ' || c == ';' || c == ',') {
-                  // empty value
-                  state = ForwardedParseState.BETWEEN;
-                } else {
-                  start = pos;
-                  state = ForwardedParseState.VALUE_TOKEN;
-                }
+      // compiler requires that these two be initialized:
+      int start = 0;
+      boolean considerValue = false;
+      while (pos < end) {
+        char c = headerValue.charAt(pos);
+        switch (state) {
+          case BETWEEN:
+            if (c == ' ' || c == ';' || c == ',') {
+              break;
+            }
+            start = pos;
+            state = ForwardedParseState.KEY;
+            break;
+          case KEY:
+            if (c != '=') {
+              break;
+            }
+
+            state = ForwardedParseState.BEFORE_VALUE;
+            if (pos - start == 3) {
+              String key = headerValue.substring(start, pos);
+              considerValue = key.equalsIgnoreCase("for");
+            } else {
+              considerValue = false;
+            }
+            break;
+          case BEFORE_VALUE:
+            if (c == '"') {
+              start = pos + 1;
+              state = ForwardedParseState.VALUE_QUOTED;
+            } else if (c == ' ' || c == ';' || c == ',') {
+              // empty value
+              state = ForwardedParseState.BETWEEN;
+            } else {
+              start = pos;
+              state = ForwardedParseState.VALUE_TOKEN;
+            }
+            break;
+          case VALUE_TOKEN:
+            {
+              int tokenEnd;
+              if (c == ' ' || c == ';' || c == ',') {
+                tokenEnd = pos;
+              } else if (pos + 1 == end) {
+                tokenEnd = end;
+              } else {
                 break;
-              case VALUE_TOKEN:
-                {
-                  int tokenEnd;
-                  if (c == ' ' || c == ';' || c == ',') {
-                    tokenEnd = pos;
-                  } else if (pos + 1 == entryLen) {
-                    tokenEnd = entryLen;
-                  } else {
-                    break;
-                  }
-                  if (considerValue) {
-                    InetAddress ipAddr =
-                        parseIpAddressAndMaybePort(entry.substring(start, tokenEnd));
-                    if (ipAddr != null) {
-                      if (isIpAddrPrivate(ipAddr)) {
-                        if (resultPrivate == null) {
-                          resultPrivate = ipAddr;
-                        }
-                      } else {
-                        return ipAddr;
-                      }
+              }
+
+              if (considerValue) {
+                InetAddress ipAddr =
+                    parseIpAddressAndMaybePort(headerValue.substring(start, tokenEnd));
+                if (ipAddr != null) {
+                  if (isIpAddrPrivate(ipAddr)) {
+                    if (resultPrivate == null) {
+                      resultPrivate = ipAddr;
                     }
+                  } else {
+                    return ipAddr;
                   }
-                  state = ForwardedParseState.BETWEEN;
-                  break;
                 }
-              case VALUE_QUOTED:
-                if (c == '"') {
-                  if (considerValue) {
-                    InetAddress ipAddr = parseIpAddressAndMaybePort(entry.substring(start, pos));
-                    if (ipAddr != null && !isIpAddrPrivate(ipAddr)) {
-                      return ipAddr;
-                    }
-                  }
-                  state = ForwardedParseState.BETWEEN;
-                } else if (c == '\\') {
-                  pos++;
+              }
+              state = ForwardedParseState.BETWEEN;
+              break;
+            }
+          case VALUE_QUOTED:
+            if (c == '"') {
+              if (considerValue) {
+                InetAddress ipAddr = parseIpAddressAndMaybePort(headerValue.substring(start, pos));
+                if (ipAddr != null && !isIpAddrPrivate(ipAddr)) {
+                  return ipAddr;
                 }
-                break;
+              }
+              state = ForwardedParseState.BETWEEN;
+            } else if (c == '\\') {
+              pos++;
             }
-            pos++;
-          }
-          if (resultPrivate != null) {
-            return resultPrivate;
-          }
-          entryEnd = i;
+            break;
         }
+        pos++;
       }
-      return null;
+
+      return resultPrivate;
     }
   }
 
diff --git a/dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/http/ClientIpAddressResolverSpecification.groovy b/dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/http/ClientIpAddressResolverSpecification.groovy
@@ -82,7 +82,6 @@ class ClientIpAddressResolverSpecification extends Specification {
     'forwarded' | '   for=127.0.0.1,for= for=,for=;"for = for="" ,; for=8.8.8.8;' | '8.8.8.8'
     'forwarded' | 'for=192.0.2.60;proto=http;by=203.0.113.43' | '192.0.2.60'
     'forwarded' | 'For="[2001:db8:cafe::17]:4711"' | '2001:db8:cafe::17'
-    'forwarded' | 'for=192.0.2.43, for=198.51.100.17' | '198.51.100.17'
     'forwarded' | 'for=192.0.2.43;proto=https;by=203.0.113.43' | '192.0.2.43'
     'forwarded' | 'for="_gazonk"' | null
     'forwarded' | 'for=unknown, for=8.8.8.8' | '8.8.8.8'
