Redact query string values #13114
Redact query string values #13114
Conversation
jeanbisutti
force-pushed
the
redact-query-string-values
branch
2 times, most recently
from
aba2207 to
608bc78
Compare
| arguments("https://github.com#[email protected]", "https://github.com#[email protected]"), | ||
| arguments("user1:[email protected]", "user1:[email protected]"), | ||
| arguments("https://github.com@", "https://github.com@"), | ||
| arguments( |
There was a problem hiding this comment.
This test was (probably inadvertly) removed in #9925.
The test is added again with new test cases.
jeanbisutti
force-pushed
the
redact-query-string-values
branch
from
608bc78 to
d8d8dc3
Compare
jeanbisutti
force-pushed
the
redact-query-string-values
branch
from
d8d8dc3 to
c95b161
Compare
...in/java/io/opentelemetry/instrumentation/api/semconv/http/HttpClientAttributesExtractor.java
Show resolved
Hide resolved
...in/java/io/opentelemetry/instrumentation/api/semconv/http/HttpClientAttributesExtractor.java
Show resolved
Hide resolved
...in/java/io/opentelemetry/instrumentation/api/semconv/http/HttpClientAttributesExtractor.java
Show resolved
Hide resolved
...in/java/io/opentelemetry/instrumentation/api/semconv/http/HttpClientAttributesExtractor.java
Show resolved
Hide resolved
...in/java/io/opentelemetry/instrumentation/api/semconv/http/HttpClientAttributesExtractor.java
Outdated
Show resolved
Hide resolved
…tion/api/semconv/http/HttpClientAttributesExtractor.java Co-authored-by: Steve Rao <[email protected]>
| redactSensitiveParameters = | ||
| Boolean.getBoolean( | ||
| "otel.instrumentation.http.client.experimental.redact-sensitive-parameters"); |
There was a problem hiding this comment.
This does not align with our usual way of handling configuration options. It only supports system properties while we usually also accept environment variables. Perhaps it would be better to handle it the same way as other http client experimental options in
HttpClientAttributesExtractor and builder are stable introducing experimental options will require trickery with internal classes.
|
|
||
| int questionMarkIndex = urlpart.indexOf('?'); | ||
|
|
There was a problem hiding this comment.
| int questionMarkIndex = urlpart.indexOf('?'); | |
| int questionMarkIndex = urlpart.indexOf('?'); |
| @@ -141,8 +151,69 @@ private static String stripSensitiveData(@Nullable String url) { | |||
| } | |||
|
|
|||
| if (atIndex == -1 || atIndex == len - 1) { | |||
| return url; | |||
| return redactSensitiveParameters ? redactUrlParameters(url) : url; | |||
There was a problem hiding this comment.
have you considered structuring it like
String stripSensitiveData(@Nullable String url) {
if (url == null || url.isEmpty()) {
return url;
}
url = redactUserInfo(url);
url = redactQueryParameters(url);
return url;
}then you will not need to duplicate redactSensitiveParameters ? redactUrlParameters(url) : url;
| return urlpart.substring(0, questionMarkIndex) + "?" + urlPartAfterQuestionMark; | ||
| } | ||
|
|
||
| private static boolean containsParamToRedact(String urlpart) { |
There was a problem hiding this comment.
did you consider that parameter names and values in url may be percent encoded?
There was a problem hiding this comment.
The parsing do processing based on the presence of the ?, =, & and # characters. All these characters are reserved ones after percent-encoding: https://en.wikipedia.org/wiki/Percent-encoding
There was a problem hiding this comment.
You have misunderstood, the problem isn't in these characters but rather in the names of the query parameters. For example sig could be encoded as %73%69%67. I'm not claiming that such encoding would be common or sensible, just that it is acceptable to the the web server.
There was a problem hiding this comment.
interesting, I suspect it's ok to ignore a query param encoded as %73%69%67, the goal of this masking isn't to account for malicious usage, but for valid usage of specific client libraries
@jeanbisutti can you open a semconv issue asking for this clarification?
There was a problem hiding this comment.
I also think it is fine to not bother with this since what is used by the http client is set by the application author. If needed we can always make the redacted parameter list configurable.
There was a problem hiding this comment.
There was a problem hiding this comment.
thanks @jeanbisutti, I think we can proceed with the behavior in this PR (no percent encoding, exact case matching) and revisit after getting any semconv clarification
See https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md