Use quoted-string escaping instead of URL-encoding

Author: onurtemizkan

packages/remix/src/client/serverTimingTracePropagation.ts

@@ -61,12 +61,8 @@ function parseServerTimingTrace(serverTiming: readonly PerformanceServerTiming[]
     if (entry.name === 'sentry-trace') {
       sentryTrace = entry.description;
     } else if (entry.name === 'baggage') {
-      try {
-        // Baggage is URL-encoded in Server-Timing header
-        baggage = decodeURIComponent(entry.description);
-      } catch {
-        baggage = entry.description;
-      }
+      // Baggage is escaped for quoted-string context (backslash-escaped quotes and backslashes)
+      baggage = entry.description.replace(/\\"/g, '"').replace(/\\\\/g, '\\');
     }
   }
 

packages/remix/src/server/serverTimingTracePropagation.ts

@@ -88,8 +88,10 @@ export function generateSentryServerTimingHeader(options: ServerTimingTraceOptio
   metrics.push(`sentry-trace;desc="${sentryTrace}"`);
 
   if (opts.includeBaggage && baggage) {
-    // URL-encode baggage to handle special characters
-    metrics.push(`baggage;desc="${encodeURIComponent(baggage)}"`);
+    // Escape special characters for use inside a quoted-string (RFC 7230)
+    // We escape backslashes and double quotes to prevent injection
+    const escapedBaggage = baggage.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+    metrics.push(`baggage;desc="${escapedBaggage}"`);
   }
 
   return metrics.join(', ');

packages/remix/test/client/serverTimingTracePropagation.test.ts

@@ -137,7 +137,8 @@ describe('serverTimingTracePropagation', () => {
           responseStart: 100,
           serverTiming: [
             { name: 'sentry-trace', description: sentryTrace },
-            { name: 'baggage', description: encodeURIComponent(baggage) },
+            // Baggage is escaped for quoted-string context (not URL-encoded)
+            { name: 'baggage', description: baggage },
           ],
         },
       ]);
@@ -232,18 +233,20 @@ describe('serverTimingTracePropagation', () => {
       expect(result).toBeNull();
     });
 
-    it('decodes URL-encoded baggage', () => {
+    it('unescapes backslash-escaped baggage', () => {
       const traceId = '12345678901234567890123456789012';
       const spanId = '1234567890123456';
       const sentryTrace = `${traceId}-${spanId}-1`;
       const baggage = 'sentry-environment=production,sentry-release=1.0.0';
+      // Simulate escaped baggage (backslash-escaped quotes and backslashes)
+      const escapedBaggage = baggage.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
 
       mockPerformance.getEntriesByType = vi.fn().mockReturnValue([
         {
           responseStart: 100,
           serverTiming: [
             { name: 'sentry-trace', description: sentryTrace },
-            { name: 'baggage', description: encodeURIComponent(baggage) },
+            { name: 'baggage', description: escapedBaggage },
           ],
         },
       ]);
@@ -253,25 +256,27 @@ describe('serverTimingTracePropagation', () => {
       expect(result?.baggage).toBe(baggage);
     });
 
-    it('handles malformed URL-encoded baggage gracefully', () => {
+    it('handles baggage with special characters', () => {
       const traceId = '12345678901234567890123456789012';
       const spanId = '1234567890123456';
       const sentryTrace = `${traceId}-${spanId}-1`;
-      const malformedBaggage = '%E0%A4%A';
+      // Baggage with escaped quotes (simulating what server sends)
+      const escapedBaggage = 'key=value\\"with\\"quotes';
 
       mockPerformance.getEntriesByType = vi.fn().mockReturnValue([
         {
           responseStart: 100,
           serverTiming: [
             { name: 'sentry-trace', description: sentryTrace },
-            { name: 'baggage', description: malformedBaggage },
+            { name: 'baggage', description: escapedBaggage },
           ],
         },
       ]);
 
       const result = getNavigationTraceContext();
 
-      expect(result?.baggage).toBe(malformedBaggage);
+      // Should unescape the backslash-escaped quotes
+      expect(result?.baggage).toBe('key=value"with"quotes');
     });
   });
 

packages/remix/test/server/serverTimingTracePropagation.test.ts

@@ -101,7 +101,8 @@ describe('serverTimingTracePropagation', () => {
 
       expect(result).toContain('sentry-trace;desc="12345678901234567890123456789012-1234567890123456-1"');
       expect(result).toContain('baggage;desc=');
-      expect(result).toContain(encodeURIComponent('sentry-environment=production,sentry-release=1.0.0'));
+      // Baggage is escaped for quoted-string context (not URL-encoded)
+      expect(result).toContain('sentry-environment=production,sentry-release=1.0.0');
     });
 
     it('generates header without baggage when includeBaggage is false', () => {
@@ -138,7 +139,8 @@ describe('serverTimingTracePropagation', () => {
       const result = generateSentryServerTimingHeader();
 
       expect(result).toContain('sentry-trace;desc="fallback-trace-id-1234567890123456-0"');
-      expect(result).toContain(encodeURIComponent('sentry-fallback=true'));
+      // Baggage is escaped for quoted-string context (not URL-encoded)
+      expect(result).toContain('sentry-fallback=true');
     });
 
     it('works in Cloudflare environment', () => {