Validate trace-id contains valid characters (#2747)

Author: alextwoods

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Validate that `_X_AMZN_TRACE_ID` ENV value contains only valid, non-control characters.
+
 3.133.0 (2022-08-22)
 ------------------
 

gems/aws-sdk-core/lib/aws-sdk-core/plugins/recursion_detection.rb

@@ -11,12 +11,21 @@ def call(context)
 
           unless context.http_request.headers.key?('x-amzn-trace-id')
             if ENV['AWS_LAMBDA_FUNCTION_NAME'] &&
-              (trace_id = ENV['_X_AMZN_TRACE_ID'])
+              (trace_id = validate_header(ENV['_X_AMZN_TRACE_ID']))
               context.http_request.headers['x-amzn-trace-id'] = trace_id
             end
           end
           @handler.call(context)
         end
+
+        private
+        def validate_header(header_value)
+          if (header_value.chars & (0..31).map(&:chr)).any?
+            raise ArgumentError, 'Invalid _X_AMZN_TRACE_ID value: '\
+              'contains ASCII control characters'
+          end
+          header_value
+        end
       end
 
       # should be at the end of build so that

gems/aws-sdk-core/spec/aws/plugins/recursion_detection_spec.rb

@@ -87,6 +87,16 @@ module Plugins
           resp = client.operation_with_trace_id(trace_id: user_trace_id)
           expect(resp.context.http_request.headers['x-amzn-trace-id']).to eq(user_trace_id)
         end
+
+        context 'X_AMX_TRACE_ID with invalid characters' do
+          let(:env_trace_id) { "invalid header" + 31.chr }
+
+          it 'validates the trace-id and raises an error' do
+            expect do
+              client.operation_with_trace_id
+            end.to raise_error(ArgumentError)
+          end
+        end
       end
     end
   end