open-telemetry
fix(opentelemetry_cowboy): prevent telemetry handler crash on invalid HTTP/2 scheme
Cowboy does not validate the :scheme pseudo-header per RFC 9113, which
states that scheme "is not restricted to http and https" and can be used
for non-HTTP schemes via proxies/gateways. This means Cowboy passes through
any value from the HTTP/2 HEADERS frame without validation.
When a malformed or unexpected scheme value reaches extract_scheme/2,
the case clause crashes because it only handles <<"http">> and
<<"https">>. This crash causes Erlang's telemetry library to permanently
detach the handler for the affected node, resulting in all subsequent
requests losing OpenTelemetry tracing until the node is restarted.
In production, this manifests as "almost all" requests suddenly missing trace IDs, with the root cause being a single malformed HTTP/2 request that crashed the telemetry handler.
The fix introduces a configurable valid_schemes option that maps scheme
binaries to atoms. Unknown schemes now return undefined instead of
crashing, which is consistent with how otel_http:extract_scheme/2 already
handles unknown schemes from headers.
The default configuration preserves backwards compatibility by only
accepting http and https. Users who need to support additional schemes
(e.g., ws, wss) can extend the map via configuration.
Fixes: #567
The committers listed above are authorized under a signed CLA.
- :white_check_mark: login: velimir / name: Grigory Starinkin (71cca4b6cdefc16108ca2029046c1dd3c9993cf7, 9865d0618c5f33b1c02a01f9875ab259b6e99d6f)
![linux-foundation-easycla[bot] avatar](https://avatars.githubusercontent.com/in/17893?v=4 "Published by a pub.dev verified publisher"){kind=small}
Why was this closed?
GitHub automation in a private fork :/ it should've not been closed