Skip to content

WSGI instrumentation returns 500 when given invalid url #4447

Open
Open
WSGI instrumentation returns 500 when given invalid url#4447
Labels
bugSomething isn't working
@robotadam

Description

@robotadam
robotadam
opened on Apr 16, 2026

Describe your environment

OS: Debian bookworm, container (python:3.13-slim-bookworm)
Python version: 3.13
Package version: 0.60

What happened?

An automated security test suite was hitting a Django app instrumented with opentelemetry-instrumentation-django, and when it sent an invalid request the wsgi instrumentor fails with a ValueError from util.http._parse_url_query. This has only ever occurred for me with this kind of tester, and I've never seen it with a legitimate request.

Steps to Reproduce

Given any web app insrumented with the wsgi handler, send this request:

GET http://example.com/\$%7B#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('id').waitFor()}.action"

Expected Result

The middleware does not error.

Actual Result

ValueError raised. Traceback:

Traceback (most recent call last):
  File "django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/home/app/env/lib/python3.13/site-packages/opentelemetry/instrumentation/django/middleware/otel_middleware.py", line 91, in __call__
    self.process_request(request)
  File "/home/app/env/lib/python3.13/site-packages/opentelemetry/instrumentation/django/middleware/otel_middleware.py", line 217, in process_request
    attributes = collect_request_attributes(
  File "/home/app/env/lib/python3.13/site-packages/opentelemetry/instrumentation/wsgi/__init__.py", line 374, in collect_request_attributes
    path, query = _parse_url_query(target)
  File "/home/app/env/lib/python3.13/site-packages/opentelemetry/util/http/__init__.py", line 271, in _parse_url_query
    parsed_url = urlparse(url)
  File "urllib/parse.py", line 397, in urlparse
    splitresult = urlsplit(url, scheme, allow_fragments)
  File "urllib/parse.py", line 518, in urlsplit
    _check_bracketed_netloc(netloc)
  File "urllib/parse.py", line 456, in _check_bracketed_netloc
    _check_bracketed_host(hostname)
  File "urllib/parse.py", line 465, in _check_bracketed_host
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
  File "ipaddress.py", line 54, in ip_address
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address')
ValueError: "getRuntime()).exec('id').waitFor()}.action" does not appear to be an IPv4 or IPv6 address

Additional context

No response

Would you like to implement a fix?

None

Tip

React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions