Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http.client_ip contains multiple addresses from X-Forwarded-For #2282

Closed
garthk opened this issue Oct 11, 2021 · 1 comment · Fixed by #2284
Closed

http.client_ip contains multiple addresses from X-Forwarded-For #2282

garthk opened this issue Oct 11, 2021 · 1 comment · Fixed by #2284
Assignees
@garthk
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
Bugs

Comments

@garthk
Copy link
Contributor

garthk commented Oct 11, 2021

Description

Spec check: should http.client_ip contain multiple addresses?

Environment

  • OS: Any
  • Architecture: Any
  • Go Version: 1.15
  • opentelemetry-go version: 1.0.1

Steps To Reproduce

  1. Fire up any “hello, world” implementation on port 8090
  2. Give it a client and proxy address eg. curl -H 'X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178' :8090
  3. Observe http.client_ip trace span attribute value contains multiple addresses: "203.0.113.195, 70.41.3.18, 150.172.238.178"

The code might look like it's choosing the first value, but it's instead pulling the first matching header:

opentelemetry-go/semconv/v1.4.0/http.go

Lines 227 to 229 in cdf67dd

if values, ok := request.Header["X-Forwarded-For"]; ok && len(values) > 0 {
attrs = append(attrs, HTTPClientIPKey.String(values[0]))
}

HTTPServerAttributesFromHTTPRequest returns all values from the first occurrence of the header:

Expected behavior

I expect http.client_ip to return only the first entry from the X-Forwarded-For header.

The HTTP Server Semantic Conventions describe http.client_ip as containing:

The IP address of the original client behind all proxies, if known (e.g. from X-Forwarded-For).

That sounds singular to me, as does the linked MDN document:

X-Forwarded-For: <client>, <proxy1>, <proxy2>

Strikes me we SHOULD take the left-most address only. What do you reckon?
@garthk garthk added the bug Something isn't working label Oct 11, 2021
@MrAlias MrAlias added this to Needs triage in Bugs via automation Oct 11, 2021
@MrAlias MrAlias moved this from Needs triage to Low priority in Bugs Oct 11, 2021
@MrAlias MrAlias added the help wanted Extra attention is needed label Oct 11, 2021
@MrAlias
Copy link
Contributor

MrAlias commented Oct 11, 2021

Strikes me we SHOULD take the left-most address only. What do you reckon?

Agreed 👍

garthk added a commit to garthk/opentelemetry-go that referenced this issue Oct 12, 2021
@garthk
Fix: http.client_ip vs multiple addresses open-telemetry#2282
3750ec2
@MrAlias MrAlias mentioned this issue Oct 15, 2021
Merged
Bugs automation moved this from Low priority to Closed Oct 18, 2021
MrAlias added a commit that referenced this issue Oct 18, 2021
@garthk @pellared @MrAlias
Fix: http.client_ip vs multiple addresses #2282 (#2284)
2e6211e 
* Fix: http.client_ip vs multiple addresses #2282

* Split only the necessary number of values.

As suggested by @pellared. Good suggestion, that.

Co-authored-by: Robert Pająk <pellared@hotmail.com>

Co-authored-by: Robert Pająk <pellared@hotmail.com>
Co-authored-by: Tyler Yahn <MrAlias@users.noreply.github.com>
@MrAlias MrAlias mentioned this issue Oct 26, 2021
Merged
@gaby gaby mentioned this issue Mar 13, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@garthk garthk

Labels
bug Something isn't working help wanted Extra attention is needed
Projects
Go: Bugs
Archived in project
Bugs
  
Closed
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: http.client_ip vs multiple addresses #2282 garthk/opentelemetry-go
2 participants
@garthk @MrAlias