fix: traceids not random when using webcrypto

[paddyo]

Fix non-random hexadecimal generation when using the webcrypto api, which in turn creates non-random traceIds, that always end in 00

Overview

A bug in the generation of random hexadecimal values when using webcrypto means the traceIds used for the distributed tracing spans are not fully random, and all traceIds will end in 00. The W3C spec says this value should be random, and this can cause issues for organizations who are enforcing browser span sampling by using drop rules versus the last characters of the spans.

The cause is a double out of bounds, once when iterating over an array using ++var instead of var++ and second when the size of the hex value is 32 characters, due to the Uint8Array used for the webcrypto random number generation length being hardcoded to 31.

Related Issue(s)

Issue: #826

Testing

Due to the use of random number generation this requires a slightly different setup. This gist shows the code and results I used to diagnose and test the patch.

https://gist.github.com/paddyo/c861c640a2328aaf0d09d30c103bb3dd

This was tested on node 21.2.0 which allowed easy use of module hooks.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (c3b0235) 78.29% compared to head (59071e4) 78.29%.

❗ Current head 59071e4 differs from pull request most recent head 1a97ffb. Consider uploading reports for the commit 1a97ffb to get more accurate results

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #825   +/-   ##
=======================================
  Coverage   78.29%   78.29%           
=======================================
  Files         142      142           
  Lines        6354     6354           
  Branches     1228     1228           
=======================================
  Hits         4975     4975           
  Misses       1172     1172           
  Partials      207      207           

Flag	Coverage Δ
unit-tests	55.10% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[patrickhousley]

Size check report:

Build Size Stats: dev...local                                          
┌────────────────┬─────────────┬─────────────────────────────┬─────────────────────────────┬───────────────────┐
│ Agent          │ Asset       │        Previous Size        │          New Size           │       Diff        │
├────────────────┼─────────────┼─────────────────────────────┼─────────────────────────────┼───────────────────┤
│ lite           │ loader      │ 31.05 kB / 10.55 kB (gzip)  │ 31.05 kB / 10.55 kB (gzip)  │ 0% / 0.01% (gzip) │
│ lite           │ async-chunk │ 45.58 kB / 15.05 kB (gzip)  │ 45.58 kB / 15.05 kB (gzip)  │  0% / 0% (gzip)   │
│                │             │                             │                             │                   │
│ pro            │ loader      │ 48.46 kB / 15.96 kB (gzip)  │ 48.45 kB / 15.96 kB (gzip)  │ 0% / 0.01% (gzip) │
│ pro            │ async-chunk │ 74.48 kB / 23.68 kB (gzip)  │ 74.48 kB / 23.68 kB (gzip)  │  0% / 0% (gzip)   │
│                │             │                             │                             │                   │
│ spa            │ loader      │ 54.91 kB / 17.94 kB (gzip)  │ 54.91 kB / 17.94 kB (gzip)  │ 0% / 0.01% (gzip) │
│ spa            │ async-chunk │ 89.25 kB / 28.13 kB (gzip)  │ 89.25 kB / 28.13 kB (gzip)  │  0% / 0% (gzip)   │
│                │             │                             │                             │                   │
│ lite-polyfills │ loader      │ 122.57 kB / 39.55 kB (gzip) │ 122.57 kB / 39.55 kB (gzip) │ 0% / 0.01% (gzip) │
│ lite-polyfills │ async-chunk │ 57.97 kB / 17.26 kB (gzip)  │ 57.97 kB / 17.26 kB (gzip)  │  0% / 0% (gzip)   │
│                │             │                             │                             │                   │
│ pro-polyfills  │ loader      │ 142.09 kB / 45.42 kB (gzip) │ 142.09 kB / 45.43 kB (gzip) │  0% / 0% (gzip)   │
│ pro-polyfills  │ async-chunk │ 101.74 kB / 27.33 kB (gzip) │ 101.74 kB / 27.33 kB (gzip) │  0% / 0% (gzip)   │
│                │             │                             │                             │                   │
│ spa-polyfills  │ loader      │ 150.11 kB / 47.55 kB (gzip) │ 150.11 kB / 47.55 kB (gzip) │  0% / 0% (gzip)   │
│ spa-polyfills  │ async-chunk │ 117.31 kB / 31.92 kB (gzip) │ 117.31 kB / 31.92 kB (gzip) │  0% / 0% (gzip)   │
└────────────────┴─────────────┴─────────────────────────────┴─────────────────────────────┴───────────────────┘

[CLAassistant]

All committers have signed the CLA.