Local baggage is propagated when using Brave and W3C #37109
Description
Environment
- spring-boot: 3.1.2
- micrometer-tracing: 1.1.13
- brave: 5.15.1
Issue Summary
- local baggage is propagating to remote server
- This problem occurs when using W3C propagation (This problem does not occur when using B3 propagation)
- I think it's a bad problem because confidential information can be propagated outside
Issue Detail
First, the reproduced code is written in gist.
https://gist.github.com/be-hase/044ee50d7dccce931ce4722660e56f3c
Set up a local baggage as follows.
@Bean
public BaggagePropagationCustomizer baggagePropagationCustomizer() {
return builder -> {
builder.add(
BaggagePropagationConfig.SingleBaggageField.local(BaggageField.create("test-baggage"))
);
};
}Run the program and check the log. The contents of the baggage header contain local baggage.
user-agent: ReactorNetty/1.1.9
...
baggage: test-baggage=value <-- HERE
Why
It appears to be sent by this code.
https://github.com/micrometer-metrics/tracing/blob/1.1.x/micrometer-tracing-bridges/micrometer-tracing-bridge-brave/src/main/java/io/micrometer/tracing/brave/bridge/W3CPropagation.java#L341-L364
There is an implementation that does not send local baggage, but this is not working.
https://github.com/micrometer-metrics/tracing/blob/1.1.x/micrometer-tracing-bridges/micrometer-tracing-bridge-brave/src/main/java/io/micrometer/tracing/brave/bridge/W3CPropagation.java#L347-L348
It is designed to specify local baggage from the constructor.
https://github.com/openzipkin/brave/blob/9f4f166f97a3645e7514c0db920eb02bb3666e7d/brave/src/main/java/brave/baggage/BaggagePropagation.java#L194
However, spring boot always specifies empty here.
thanks.
Ref
I first reported it to the micrometer-tracing side, but was advised that it was a problem on the spring boot side.
micrometer-metrics/tracing#337