Summary
When the dd-trace-cpp library fails to extract trace context due to malformed unicode, the library attempts to log the list of audited headers and their values using the nlohmann JSON library. This attempted logging may throw an uncaught exception.
Details
The code that introduced this logging was added in pull request #72 and has been present in versions v0.1.12, v0.2.0, and v0.2.1.
For each key and value in the list of audited headers, a nlohmann::json instance is created as follows:
stream << nlohmann::json(it->first + ": " + it->second);
Here, it->first is the header name and it->second is the value. This code is problematic for several reasons:
- An exception can be thrown by the JSON library while parsing the input.
- An exception can be thrown by the implicit call to
dump().
Impact
This impacts any downstream applications that rely on dd-trace-cpp for tracing.
Patches
This vulnerability has been patched in dd-trace-cpp version v0.2.2 (#132)
Workarounds
- Filter out header values that are not valid UTF-8 strings
dmehala Remediation developer
Summary
When the
dd-trace-cpplibrary fails to extract trace context due to malformed unicode, the library attempts to log the list of audited headers and their values using thenlohmannJSON library. This attempted logging may throw an uncaught exception.Details
The code that introduced this logging was added in pull request #72 and has been present in versions v0.1.12, v0.2.0, and v0.2.1.
For each key and value in the list of audited headers, a nlohmann::json instance is created as follows:
Here,
it->firstis the header name andit->secondis the value. This code is problematic for several reasons:dump().Impact
This impacts any downstream applications that rely on
dd-trace-cppfor tracing.Patches
This vulnerability has been patched in
dd-trace-cppversion v0.2.2 (#132)Workarounds