SpringBoot Local baggage is propagated when using Brave and W3C

Environment

• spring-boot: 3.1.2
• micrometer-tracing: 1.1.13
• brave: 5.15.1

Issue Summary

• local baggage is propagating to remote server
• This problem occurs when using W3C propagation (This problem does not occur when using B3 propagation)
• I think it's a bad problem because confidential information can be propagated outside

Issue Detail

First, the reproduced code is written in gist. https://gist.github.com/be-hase/044ee50d7dccce931ce4722660e56f3c

Set up a local baggage as follows.

@Bean
public BaggagePropagationCustomizer baggagePropagationCustomizer() {
    return builder -> {
        builder.add(
                BaggagePropagationConfig.SingleBaggageField.local(BaggageField.create("test-baggage"))
        );
    };
}

Run the program and check the log. The contents of the baggage header contain local baggage.

user-agent: ReactorNetty/1.1.9
...
baggage: test-baggage=value <-- HERE

Why

It appears to be sent by this code. https://github.com/micrometer-metrics/tracing/blob/1.1.x/micrometer-tracing-bridges/micrometer-tracing-bridge-brave/src/main/java/io/micrometer/tracing/brave/bridge/W3CPropagation.java#L341-L364

There is an implementation that does not send local baggage, but this is not working. https://github.com/micrometer-metrics/tracing/blob/1.1.x/micrometer-tracing-bridges/micrometer-tracing-bridge-brave/src/main/java/io/micrometer/tracing/brave/bridge/W3CPropagation.java#L347-L348

It is designed to specify local baggage from the constructor. https://github.com/openzipkin/brave/blob/9f4f166f97a3645e7514c0db920eb02bb3666e7d/brave/src/main/java/brave/baggage/BaggagePropagation.java#L194

However, spring boot always specifies empty here. https://github.com/spring-projects/spring-boot/blob/6c56379c2549fba8eb6304bbd39733fe96a8044c/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/tracing/CompositePropagationFactory.java#L142-L145

thanks.

Ref

I first reported it to the micrometer-tracing side, but was advised that it was a problem on the spring boot side. https://github.com/micrometer-metrics/tracing/issues/337

Comment From: mhalbritter

Thanks for the report!

Comment From: mhalbritter

Hm, so to fix this bug, we have to introduce new properties for the local fields. Apparently there's no way to retrieve them from Brave so that we could pass them into the W3CPropagation.

Comment From: mhalbritter

I found a way to do it without new properties.

Comment From: be-hase

Thanks for the quick fix. :)