From 336d5b642ed6c2f9772a1b04f25d8272047207af Mon Sep 17 00:00:00 2001
From: Damien Mathieu <42@dmathieu.com>
Date: Fri, 29 Mar 2024 07:26:37 +0100
Subject: [PATCH] Test spanRowFormatter, and mark the gosec issue as a
 false-positive (#5327)

---
 zpages/templates.go      | 16 +++++++++--
 zpages/templates_test.go | 59 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+), 3 deletions(-)
 create mode 100644 zpages/templates_test.go

diff --git a/zpages/templates.go b/zpages/templates.go
index ca23135adfd..cc9b1dec0e1 100644
--- a/zpages/templates.go
+++ b/zpages/templates.go
@@ -60,7 +60,6 @@ func parseTemplate(name string) *template.Template {
 	return template.Must(template.New(name).Funcs(templateFunctions).Parse(string(text)))
 }
 
-//nolint:gosec // G203: The used method does not auto-escape HTML. Tracked under https://github.com/open-telemetry/opentelemetry-go-contrib/issues/4451.
 func spanRowFormatter(r spanRow) template.HTML {
 	if !r.SpanContext.IsValid() {
 		return ""
@@ -69,10 +68,21 @@ func spanRowFormatter(r spanRow) template.HTML {
 	if r.SpanContext.IsSampled() {
 		col = "blue"
 	}
+
+	tpl := fmt.Sprintf(
+		`trace_id: <b style="color:%s">%s</b> span_id: %s`,
+		col,
+		r.SpanContext.TraceID(),
+		r.SpanContext.SpanID(),
+	)
 	if r.ParentSpanContext.IsValid() {
-		return template.HTML(fmt.Sprintf(`trace_id: <b style="color:%s">%s</b> span_id: %s parent_span_id: %s`, col, r.SpanContext.TraceID(), r.SpanContext.SpanID(), r.ParentSpanContext.SpanID()))
+		tpl += fmt.Sprintf(` parent_span_id: %s`, r.ParentSpanContext.SpanID())
 	}
-	return template.HTML(fmt.Sprintf(`trace_id: <b style="color:%s">%s</b> span_id: %s`, col, r.SpanContext.TraceID(), r.SpanContext.SpanID()))
+
+	//nolint:gosec // G203: None of the dynamic attributes (TraceID/SpanID) can
+	// contain characters that need escaping so this lint issue is a false
+	// positive.
+	return template.HTML(tpl)
 }
 
 func even(x int) bool {
diff --git a/zpages/templates_test.go b/zpages/templates_test.go
new file mode 100644
index 00000000000..57ac659c21a
--- /dev/null
+++ b/zpages/templates_test.go
@@ -0,0 +1,59 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package zpages
+
+import (
+	"html/template"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"go.opentelemetry.io/otel/trace"
+)
+
+func TestSpanRowFormatter(t *testing.T) {
+	for _, tt := range []struct {
+		name string
+		row  spanRow
+
+		expectedTemplate template.HTML
+	}{
+		{
+			name: "with an invalid span context",
+			row: spanRow{
+				SpanContext: trace.NewSpanContext(trace.SpanContextConfig{}),
+			},
+			expectedTemplate: "",
+		},
+		{
+			name: "with a valid span context",
+			row: spanRow{
+				SpanContext: trace.NewSpanContext(trace.SpanContextConfig{
+					TraceID: trace.TraceID{2, 3, 4, 5, 6, 7, 8, 9, 2, 3, 4, 5, 6, 7, 8, 9},
+					SpanID:  trace.SpanID{1, 2, 3, 4, 5, 6, 7, 8},
+				}),
+			},
+			expectedTemplate: "trace_id: <b style=\"color:black\">02030405060708090203040506070809</b> span_id: 0102030405060708",
+		},
+		{
+			name: "with a valid parent span context",
+			row: spanRow{
+				SpanContext: trace.NewSpanContext(trace.SpanContextConfig{
+					TraceID: trace.TraceID{2, 3, 4, 5, 6, 7, 8, 9, 2, 3, 4, 5, 6, 7, 8, 9},
+					SpanID:  trace.SpanID{1, 2, 3, 4, 5, 6, 7, 8},
+				}),
+				ParentSpanContext: trace.NewSpanContext(trace.SpanContextConfig{
+					TraceID: trace.TraceID{10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25},
+					SpanID:  trace.SpanID{10, 11, 12, 13, 14, 15, 16, 18},
+				}),
+			},
+			expectedTemplate: "trace_id: <b style=\"color:black\">02030405060708090203040506070809</b> span_id: 0102030405060708 parent_span_id: 0a0b0c0d0e0f1012",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			r := spanRowFormatter(tt.row)
+			assert.Equal(t, tt.expectedTemplate, r)
+		})
+	}
+}