-
Notifications
You must be signed in to change notification settings - Fork 786
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Instrumentation.Http][Instrumentation.AspNetCore] Fix url.full
and url.query
attribute values
#5532
[Instrumentation.Http][Instrumentation.AspNetCore] Fix url.full
and url.query
attribute values
#5532
Conversation
…vishweshbankwar/opentelemetry-dotnet into vibankwa/redact-http-attributes
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5532 +/- ##
===========================================
- Coverage 83.38% 20.07% -63.31%
===========================================
Files 297 183 -114
Lines 12531 7610 -4921
===========================================
- Hits 10449 1528 -8921
- Misses 2082 6082 +4000
Flags with carried forward coverage won't be shown. Click here to find out more.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Can someone elaborate where this requirement came from? Is it part of the OTEL Spec? |
|
||
Released 2024-Apr-12 | ||
|
||
* **Breaking Change**: Fixed tracing instrumentation so that by default any |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changelog is not very clear. Could we make it clear the why here as well?
Also, using the word "tag" may not be obvious that it is referring to "attributes".
Apologies for not providing much detail on here. We wanted to have the mitigation in place before we provided a whole lot of information about a vulnerability. See: GHSA-vh2m-22xx-q94f |
Thanks for sharing that @CodeBlanch , but that feels overly defensive to me. Does the OTEL spec ask implementations to perform this redaction, or is the .NET team doing it on their own? Using query string for sensitive information such as tokens is such a well-known bad practice for this precise reason, so I don't quite understand why the library would decide to redact all query string values by default. What if people just share sensitive information as URL segments, then? Is the library going to start redacting route segments in the URL too? This will just make debugging harder by default. It would made a lot more sense if the framework allowed redaction to be plugged-in instead and let consumers decide whether they need it or not, which is exactly what happens today with standard logs as well. If there is a known practice to redact query string values everywhere I'm not aware about, please share that so I can learn from it. On an unrelated note, it also makes me a bid sad this is not tapping into |
Redacting all query parameters by default makes zero sense to me. query parameters should not be used for sensitive info regardless of whether they're going to be redacted in logs and traces. |
Related to open-telemetry/semantic-conventions#961. |
Sad to see this being forced into the convention as well. Oh well... at least now we are in a better position to disable the behavior across all of our services in a single place. That wasn't the case a couple weeks ago. |
Can I just add my 2 cents, that on the whole this approach of making OpenTelemetry responsible for everybody that does something insecure is not a particularly sustainable or sensical approach. I don't request Microsoft fix the Console.WriteLine method just because I logged the password to console or fix File.WriteAllText because I wrote a credential to file. So why make a logging framework responsible for what is Logged. It makes perfect sense to have sane defaults that do the best to keep a developer from writing insecure code but at the end of the day that is all we can do. This change goes a step further though since it not only enforces a default but doesn't even let the developer disable it. The only way to disable this functionality is through an environment variable I really hope that the OpenTelemetry team and in particular those involved with open-telemetry/semantic-conventions#961 reconsider this approach and Favour a more robust and flexible redaction system rather than these rushed and half thought out defaults that worsen the 99% for those 1% cases of bad code. |
@CEbbinghaus Could you file an issue with a repro? |
Fixes #
Design discussion issue #
Changes
Fixed tracing instrumentation so that by default any values detected in the query string component of requests are replaced with the text
Redacted
. For ASP.NET Core instrumentation, fixedurl.query
attribute. For Http instrumentation, fixedurl.full
attribute.Merge requirement checklist
CHANGELOG.md
files updated for non-trivial changes