chore(tracer): add forwarded ip header format support (#14418)

Following #14400

This PR improves the support for `forwarded` header by adding ip format
extraction from the forwarded format described in
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Forwarded
https://www.rfc-editor.org/rfc/rfc7239

- We only extract the ip from the `for` parameter.
- Also add tests for different possible ip formats (ipv4, ipv6, quoted
or unquoted, with or without port)

This will also be supported by system tests
DataDog/system-tests#5134

APPSEC-58261

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: christophe-papazian

ddtrace/contrib/internal/trace_utils.py

@@ -133,6 +133,23 @@ def _get_request_header_referrer_host(headers, headers_are_case_sensitive=False)
     return ""
 
 
+def _parse_ip_header(ip_header_value: str) -> str:
+    """Parse the ip header, either in Forwarded-For format or Forwarded format.
+
+    references: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Forwarded
+    """
+    IP_EXTRACTIONS = [
+        r"^\s*(?P<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$",  # ipv4 simple format
+        r'(?:^|;)\s*for="?(?P<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)',  # ipv4 forwarded format
+        r"^\s*(?P<ip>[0-9a-fA-F:]+)$",  # ipv6 simple format
+        r'(?:^|;)\s*for="\[(?P<ip>[0-9a-fA-F:]+)\]',  # ipv6 forwarded format
+    ]
+    for pattern in IP_EXTRACTIONS:
+        if m := re.search(pattern, ip_header_value, re.IGNORECASE):
+            return m.group("ip")
+    return ""
+
+
 def _get_request_header_client_ip(headers, peer_ip=None, headers_are_case_sensitive=False):
     # type: (Optional[Mapping[str, str]], Optional[str], bool) -> str
 
@@ -185,12 +202,12 @@ def get_header_value(key):  # type: (str) -> Optional[str]
 
     if ip_header_value:
         # At this point, we have one IP header, check its value and retrieve the first public IP
+
         ip_list = ip_header_value.split(",")
         for ip in ip_list:
-            ip = ip.strip()
+            ip = _parse_ip_header(ip)
             if not ip:
                 continue
-
             try:
                 if ip_is_global(ip):
                     return ip

tests/tracer/test_trace_utils.py

@@ -632,7 +632,7 @@ def test_set_http_meta_case_sensitive_headers_notfound(mock_store_headers, span,
     ("x-real-ip", "2.2.2.2"),
     ("true-client-ip", "3.3.3.3"),
     ("x-client-ip", "4.4.4.4"),
-    ("forwarded", "5.5.5.5"),
+    ("forwarded", 'by=1.2.3.4;for="5.5.5.5:2000";host=test.zouzou.ncom'),
     ("forwarded-for", "6.6.6.6"),
     ("x-cluster-client-ip", "7.7.7.7"),
     ("fastly-client-ip", "8.8.8.8"),
@@ -645,6 +645,9 @@ def test_set_http_meta_case_sensitive_headers_notfound(mock_store_headers, span,
     ["", dict(ALL_IP_HEADERS[-1 : -i - 2 : -1]), ALL_IP_HEADERS[-1 - i][1]] for i in range(len(ALL_IP_HEADERS))
 ]
 
+# expected value for forwarded is extracted from for
+ALL_TESTS[5][2] = "5.5.5.5"
+
 
 @pytest.mark.parametrize(
     "header_env_var,headers_dict,expected",
@@ -687,6 +690,49 @@ def test_set_http_meta_case_sensitive_headers_notfound(mock_store_headers, span,
             {"x-forwarded-for": "4.4.4.4", "x-real-ip": "8.8.4.4"},
             "8.8.4.4",
         ),
+        (
+            "",
+            {"forwarded": 'by=1.2.3.4;for="[9f7b:5e67:5472:4464:90b0:6b0a:9aa6:f9dc]:2000";host=test.zouzou.ncom'},
+            "9f7b:5e67:5472:4464:90b0:6b0a:9aa6:f9dc",
+        ),
+        (
+            "",
+            {"forwarded": 'by=1.2.3.4;for="[9f7b:5e67:5472:4464:90b0:6b0a:9aa6:f9dc]";host=test.zouzou.ncom'},
+            "9f7b:5e67:5472:4464:90b0:6b0a:9aa6:f9dc",
+        ),
+        (
+            "",
+            {"forwarded": 'by=1.2.3.4;for="3.3.3.3:1321";host=test.zouzou.ncom'},
+            "3.3.3.3",
+        ),
+        (
+            "",
+            {"forwarded": 'by=1.2.3.4;For="3.3.3.3";host=test.zouzou.ncom'},
+            "3.3.3.3",
+        ),
+        (
+            "",
+            {"forwarded": "by=1.2.3.4;FOR=3.3.3.3;host=test.zouzou.ncom"},
+            "3.3.3.3",
+        ),
+        (
+            "",
+            {"forwarded": "by=1.2.3.4;FOR=127.0.0.1;host=test.zouzou.ncom, For=4.5.6.7, For=5.6.7.8"},
+            "4.5.6.7",
+        ),
+        (
+            "",
+            {"x-forwarded-for": "127.0.0.1, 3.4.5.6"},
+            "3.4.5.6",
+        ),
+        (
+            "",
+            {
+                "forwarded": "by=1.2.3.4;FOR=127.0.0.3;host=test.zouzou.ncom,"
+                " by=1.2.3.4;FOR=127.0.0.4, by=1.2.3.4;FOR=127.0.0.5"
+            },
+            "127.0.0.3",
+        ),
     ]
     + ALL_TESTS,
 )