wip

Author: jandro996

dd-java-agent/agent-bootstrap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/http/ClientIpAddressResolver.java

@@ -100,6 +100,14 @@ private static InetAddress doResolve(AgentSpanContext.Extracted context, Mutable
       result = coalesce(result, addr);
     }
 
+    addr = tryHeader(context.getForwarded(), FORWARDED_PARSER);
+    if (addr != null) {
+      if (!isIpAddrPrivate(addr)) {
+        return addr;
+      }
+      result = coalesce(result, addr);
+    }
+
     addr = tryHeader(context.getXClusterClientIp(), PLAIN_IP_ADDRESS_PARSER);
     if (addr != null) {
       if (!isIpAddrPrivate(addr)) {
@@ -196,95 +204,99 @@ enum ForwardedParseState {
 
     @Override
     public InetAddress apply(String headerValue) {
-      InetAddress resultPrivate = null;
-      ForwardedParseState state = ForwardedParseState.BETWEEN;
-
-      // https://datatracker.ietf.org/doc/html/rfc7239#section-4
-      int pos = 0;
-      int end = headerValue.length();
-      // compiler requires that these two be initialized:
-      int start = 0;
-      boolean considerValue = false;
-      while (pos < end) {
-        char c = headerValue.charAt(pos);
-        switch (state) {
-          case BETWEEN:
-            if (c == ' ' || c == ';' || c == ',') {
-              break;
-            }
-            start = pos;
-            state = ForwardedParseState.KEY;
-            break;
-          case KEY:
-            if (c != '=') {
+      String[] entries = headerValue.split(",");
+      for (int i = entries.length - 1; i >= 0; i--) {
+        String entry = entries[i].trim();
+        InetAddress resultPrivate = null;
+        ForwardedParseState state = ForwardedParseState.BETWEEN;
+        // https://datatracker.ietf.org/doc/html/rfc7239#section-4
+        int pos = 0;
+        int end = entry.length();
+        // compiler requires that these two be initialized:
+        int start = 0;
+        boolean considerValue = false;
+        while (pos < end) {
+          char c = entry.charAt(pos);
+          switch (state) {
+            case BETWEEN:
+              if (c == ' ' || c == ';' || c == ',') {
+                break;
+              }
+              start = pos;
+              state = ForwardedParseState.KEY;
               break;
-            }
+            case KEY:
+              if (c != '=') {
+                break;
+              }
 
-            state = ForwardedParseState.BEFORE_VALUE;
-            if (pos - start == 3) {
-              String key = headerValue.substring(start, pos);
-              considerValue = key.equalsIgnoreCase("for");
-            } else {
-              considerValue = false;
-            }
-            break;
-          case BEFORE_VALUE:
-            if (c == '"') {
-              start = pos + 1;
-              state = ForwardedParseState.VALUE_QUOTED;
-            } else if (c == ' ' || c == ';' || c == ',') {
-              // empty value
-              state = ForwardedParseState.BETWEEN;
-            } else {
-              start = pos;
-              state = ForwardedParseState.VALUE_TOKEN;
-            }
-            break;
-          case VALUE_TOKEN:
-            {
-              int tokenEnd;
-              if (c == ' ' || c == ';' || c == ',') {
-                tokenEnd = pos;
-              } else if (pos + 1 == end) {
-                tokenEnd = end;
+              state = ForwardedParseState.BEFORE_VALUE;
+              if (pos - start == 3) {
+                String key = entry.substring(start, pos);
+                considerValue = key.equalsIgnoreCase("for");
               } else {
-                break;
+                considerValue = false;
+              }
+              break;
+            case BEFORE_VALUE:
+              if (c == '"') {
+                start = pos + 1;
+                state = ForwardedParseState.VALUE_QUOTED;
+              } else if (c == ' ' || c == ';' || c == ',') {
+                // empty value
+                state = ForwardedParseState.BETWEEN;
+              } else {
+                start = pos;
+                state = ForwardedParseState.VALUE_TOKEN;
               }
+              break;
+            case VALUE_TOKEN:
+              {
+                int tokenEnd;
+                if (c == ' ' || c == ';' || c == ',') {
+                  tokenEnd = pos;
+                } else if (pos + 1 == end) {
+                  tokenEnd = end;
+                } else {
+                  break;
+                }
 
-              if (considerValue) {
-                InetAddress ipAddr =
-                    parseIpAddressAndMaybePort(headerValue.substring(start, tokenEnd));
-                if (ipAddr != null) {
-                  if (isIpAddrPrivate(ipAddr)) {
-                    if (resultPrivate == null) {
-                      resultPrivate = ipAddr;
+                if (considerValue) {
+                  InetAddress ipAddr = parseIpAddressAndMaybePort(entry.substring(start, tokenEnd));
+                  if (ipAddr != null) {
+                    if (isIpAddrPrivate(ipAddr)) {
+                      if (resultPrivate == null) {
+                        resultPrivate = ipAddr;
+                      }
+                    } else {
+                      return ipAddr;
                     }
-                  } else {
-                    return ipAddr;
                   }
                 }
+                state = ForwardedParseState.BETWEEN;
+                break;
               }
-              state = ForwardedParseState.BETWEEN;
-              break;
-            }
-          case VALUE_QUOTED:
-            if (c == '"') {
-              if (considerValue) {
-                InetAddress ipAddr = parseIpAddressAndMaybePort(headerValue.substring(start, pos));
-                if (ipAddr != null && !isIpAddrPrivate(ipAddr)) {
-                  return ipAddr;
+            case VALUE_QUOTED:
+              if (c == '"') {
+                if (considerValue) {
+                  InetAddress ipAddr = parseIpAddressAndMaybePort(entry.substring(start, pos));
+                  if (ipAddr != null && !isIpAddrPrivate(ipAddr)) {
+                    return ipAddr;
+                  }
                 }
+                state = ForwardedParseState.BETWEEN;
+              } else if (c == '\\') {
+                pos++;
               }
-              state = ForwardedParseState.BETWEEN;
-            } else if (c == '\\') {
-              pos++;
-            }
-            break;
+              break;
+          }
+          pos++;
+        }
+        if (resultPrivate != null) {
+          return resultPrivate;
         }
-        pos++;
       }
-
-      return resultPrivate;
+      return null;
     }
   }
 

dd-java-agent/agent-bootstrap/src/test/groovy/datadog/trace/bootstrap/instrumentation/decorator/http/ClientIpAddressResolverSpecification.groovy

@@ -70,6 +70,14 @@ class ClientIpAddressResolverSpecification extends Specification {
     'fastly-client-ip' | '3.3.3.3' | '3.3.3.3'
     'cf-connecting-ip' | '4.4.4.4' | '4.4.4.4'
     'cf-connecting-ipv6' | '2001::2' | '2001::2'
+
+    'forwarded' | 'for=192.0.2.60;proto=http;by=203.0.113.43' | '192.0.2.60'
+    'forwarded' | 'For="[2001:db8:cafe::17]:4711"' | '2001:db8:cafe::17'
+    'forwarded' | 'for=192.0.2.43, for=198.51.100.17' | '198.51.100.17'
+    'forwarded' | 'for=192.0.2.43;proto=https;by=203.0.113.43' | '192.0.2.43'
+    'forwarded' | 'for="_gazonk"' | null
+    'forwarded' | 'for=unknown, for=8.8.8.8' | '8.8.8.8'
+    'forwarded' | 'for="[::ffff:192.0.2.128]";proto=http' | '192.0.2.128'
   }
 
   void 'test recognition strategy with custom header'() {
@@ -113,6 +121,9 @@ class ClientIpAddressResolverSpecification extends Specification {
     then:
     1 * context.getForwardedFor() >> null
 
+    then:
+    1 * context.getForwarded() >> null
+
     then:
     1 * context.getXClusterClientIp() >> null