opentelemetry-js icon indicating copy to clipboard operation
opentelemetry-js copied to clipboard
verified publisher icon open-telemetry

feat(core): add http.url sanitization

Open shoppingjaws opened this issue 1 year ago • 5 comments

Which problem is this PR solving?

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes #2000

It seems like there hasn't been any activity on assignee for a while, so I made a PR.

Short description of the changes

Add sanitization of http.url attribution

Type of change

Please delete options that are not relevant.

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

  • [ ] Test A

Checklist:

  • [x] Followed the style guidelines of this project
  • [x] Unit tests have been added
  • [] Documentation has been updated

shoppingjaws avatar Jan 06 '24 09:01 shoppingjaws

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: shoppingjaws / name: MasayaNakamura (e47448c214aaf42d79542fd2164a38490cdc4f97, cd56fe93d939dcc0743a16a107adc547ed540c7a)

linux-foundation-easycla[bot] avatar Jan 06 '24 09:01 linux-foundation-easycla[bot]

Thank you for working on this!

legendecas avatar Jan 24 '24 15:01 legendecas

I believe the sanitization should happen in the HTTP instrumentation, e.g.

* https://github.com/open-telemetry/opentelemetry-js/blob/main/experimental/packages/opentelemetry-instrumentation-http/src/utils.ts#L346

* https://github.com/open-telemetry/opentelemetry-js/blob/main/experimental/packages/opentelemetry-instrumentation-http/src/utils.ts#L468

* https://github.com/open-telemetry/opentelemetry-js/blob/main/experimental/packages/opentelemetry-instrumentation-fetch/src/fetch.ts#L211

* https://github.com/open-telemetry/opentelemetry-js/blob/main/experimental/packages/opentelemetry-instrumentation-xml-http-request/src/xhr.ts#L338

In this way, we don't cost extra sanitization for HTTP semantic conventions in the general SDK for all spans.

I agree :+1: We discussed this in the SIG meeting yesterday and the consensus was that this is the best way to move this forward.

pichlermarc avatar Jan 25 '24 07:01 pichlermarc

@legendecas thank you! So, I'm thinking of implementing Sanitaize processing with getAbsoluteUrl, but what do you think?

shoppingjaws avatar Jan 29 '24 05:01 shoppingjaws

So, I'm thinking of implementing Sanitaize processing with getAbsoluteUrl, but what do you think?

For what it is worth, getAbsoluteUrl in instrumentation-http should have already formatted the URL without credentials. However, there is no test to verify it.

Additionally, instrumentation-fetch and instrumentation-xhr didn't handle this well (as linked above). So I believe the http.url should be sanitized in the fetch and xhr instrumentation and add tests to cover the conditions.

legendecas avatar Jan 29 '24 16:01 legendecas

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Apr 01 '24 06:04 github-actions[bot]

This PR was closed because it has been stale for 14 days with no activity.

github-actions[bot] avatar Apr 22 '24 06:04 github-actions[bot]