Local baggage is unintentionally propagated to remote (Brave)

[be-hase]

I'm not sure if it's a bug or a spec, but let me just report it.

Environment

• spring-boot: 3.1.2
• micrometer-tracing: 1.1.13
• brave: 5.15.1

Issue Summary

• local baggage is propagating to remote server
• This problem occurs when using W3C propagation (This problem does not occur when using B3 propagation)
• I think it's a bad problem because confidential information can be propagated outside

Issue Detail

First, the reproduced code is written in gist. ( I wrote it in spring boot. Sorry.)
https://gist.github.com/be-hase/044ee50d7dccce931ce4722660e56f3c

Set up a local baggage as follows.

@Bean
public BaggagePropagationCustomizer baggagePropagationCustomizer() {
    return builder -> {
        builder.add(
                BaggagePropagationConfig.SingleBaggageField.local(BaggageField.create("test-baggage"))
        );
    };
}

Run the program and check the log. The contents of the baggage header contain local baggage.

user-agent: ReactorNetty/1.1.9
...
baggage: test-baggage=value <-- HERE

Why

It appears to be sent by this code.
https://github.com/micrometer-metrics/tracing/blob/1.1.x/micrometer-tracing-bridges/micrometer-tracing-bridge-brave/src/main/java/io/micrometer/tracing/brave/bridge/W3CPropagation.java#L341-L364

There is an implementation that does not send local baggage, but this is not working.
https://github.com/micrometer-metrics/tracing/blob/1.1.x/micrometer-tracing-bridges/micrometer-tracing-bridge-brave/src/main/java/io/micrometer/tracing/brave/bridge/W3CPropagation.java#L347-L348

It is designed to specify local baggage from the constructor. But this should be generated automatically like brave.
https://github.com/openzipkin/brave/blob/9f4f166f97a3645e7514c0db920eb02bb3666e7d/brave/src/main/java/brave/baggage/BaggagePropagation.java#L194

However, perhaps this is a spring boot issue. spring boot always specifies empty here.
https://github.com/spring-projects/spring-boot/blob/6c56379c2549fba8eb6304bbd39733fe96a8044c/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/tracing/CompositePropagationFactory.java#L142-L145

thanks.

[marcingrzejszczak]

Hey, thanks for the analysis.

However, perhaps this is a spring boot issue. spring boot always specifies empty here.
https://github.com/spring-projects/spring-boot/blob/6c56379c2549fba8eb6304bbd39733fe96a8044c/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/tracing/CompositePropagationFactory.java#L142-L145

I think this is exactly the reason why the baggage gets propagated even though it is local. From the point of view of BaggageFields we don't know that they are local. The only way to back off is by passing the list of local keys via the constructor - that isn't done by Boot.

You can file an issue in Boot and until then you would have to override the existing defaults with some manual bean setting - look at this snippet and other the baggage related ones in the whole class https://github.com/spring-projects/spring-boot/blob/main/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/tracing/BraveAutoConfiguration.java#L187-L191

[be-hase]

Thank you. :)
I will submit the issue on the spring boot side.

[be-hase]

This problem has been fixed on the spring boot side.
ref: spring-projects/spring-boot#37109