From 60ee981d07c92dc0b0ec32d1912c883f0b055c30 Mon Sep 17 00:00:00 2001 From: Hangzhi <1454678938@qq.com> Date: Fri, 7 May 2021 14:31:26 +0800 Subject: [PATCH] Prevent http.url containing credentials in HttpClientTracer (#2707) * http.url must not contain credentials * remove user info from url * Update HttpClientTracerTest.groovy fix inconsistency in protocol * fix httpClient and httpServer * Update HttpServerTracer.java * Only scrub userinfo if present Co-authored-by: Anuraag Agrawal --- .../api/tracer/HttpClientTracer.java | 16 +++++++++++++++- .../api/tracer/HttpClientTracerTest.groovy | 1 + 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/instrumentation-api/src/main/java/io/opentelemetry/instrumentation/api/tracer/HttpClientTracer.java b/instrumentation-api/src/main/java/io/opentelemetry/instrumentation/api/tracer/HttpClientTracer.java index 9256135908..ac18029122 100644 --- a/instrumentation-api/src/main/java/io/opentelemetry/instrumentation/api/tracer/HttpClientTracer.java +++ b/instrumentation-api/src/main/java/io/opentelemetry/instrumentation/api/tracer/HttpClientTracer.java @@ -183,7 +183,21 @@ public abstract class HttpClientTracer extends BaseT URI url = url(request); if (url != null) { netPeerAttributes.setNetPeer(setter, url.getHost(), null, url.getPort()); - setter.setAttribute(SemanticAttributes.HTTP_URL, url.toString()); + final URI sanitized; + if (url.getUserInfo() != null) { + sanitized = + new URI( + url.getScheme(), + null, + url.getHost(), + url.getPort(), + url.getPath(), + url.getQuery(), + url.getFragment()); + } else { + sanitized = url; + } + setter.setAttribute(SemanticAttributes.HTTP_URL, sanitized.toString()); } } catch (Exception e) { log.debug("Error tagging url", e); diff --git a/instrumentation-api/src/test/groovy/io/opentelemetry/instrumentation/api/tracer/HttpClientTracerTest.groovy b/instrumentation-api/src/test/groovy/io/opentelemetry/instrumentation/api/tracer/HttpClientTracerTest.groovy index fe3916eed4..852db73e0b 100644 --- a/instrumentation-api/src/test/groovy/io/opentelemetry/instrumentation/api/tracer/HttpClientTracerTest.groovy +++ b/instrumentation-api/src/test/groovy/io/opentelemetry/instrumentation/api/tracer/HttpClientTracerTest.groovy @@ -101,6 +101,7 @@ class HttpClientTracerTest extends BaseTracerTest { false | "https://host:0" | "https://host:0" | "" | null | "host" | null false | "https://host/path" | "https://host/path" | "" | null | "host" | null false | "http://host:99/path?query#fragment" | "http://host:99/path?query#fragment" | "" | null | "host" | 99 + false | "https://usr:pswd@host/path" | "https://host/path" | "" | null | "host" | null req = [url: url == null ? null : new URI(url)] }