Scrub secrets from process arguments (#13225)

2025-02-12 05:10:37 +02:00 · 2025-02-12 05:10:37 +02:00 · 77bf68ac90
parent 1a620b28ea
commit 77bf68ac90
4 changed files with 46 additions and 18 deletions
--- a/instrumentation/resources/library/build.gradle.kts
+++ b/instrumentation/resources/library/build.gradle.kts
@ -84,6 +84,17 @@ testing {
 }

 tasks {
+  test {
+    dependsOn(jar)
+    doFirst {
+      // use the final jar instead of directories with built classes to test the mrjar functionality
+      classpath = jar.get().outputs.files + classpath
+    }
+    systemProperty("testSecret", "test")
+    systemProperty("testPassword", "test")
+    systemProperty("testNotRedacted", "test")
+  }
+
  check {
    dependsOn(testing.suites)
  }
--- a/instrumentation/resources/library/src/main/java/io/opentelemetry/instrumentation/resources/ProcessResource.java
+++ b/instrumentation/resources/library/src/main/java/io/opentelemetry/instrumentation/resources/ProcessResource.java
@ -14,7 +14,6 @@ import java.io.File;
 import java.lang.management.ManagementFactory;
 import java.lang.management.RuntimeMXBean;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Locale;
 import java.util.regex.Pattern;
@ -35,6 +34,9 @@ public final class ProcessResource {
  // Important: This is statically used in buildResource, so must be declared/initialized first.
  private static final Pattern JAR_FILE_PATTERN =
      Pattern.compile("^\\S+\\.(jar|war)", Pattern.CASE_INSENSITIVE);
+  // scrub values for system properties containing "secret" or "password" in the name
+  private static final Pattern SCRUB_PATTERN =
+      Pattern.compile("(-D.*(password|secret).*=).*", Pattern.CASE_INSENSITIVE);

  private static final Resource INSTANCE = buildResource();

@ -94,12 +96,14 @@ public final class ProcessResource {
      if (args.length > 0) {
        List<String> commandArgs = new ArrayList<>(args.length + 1);
        commandArgs.add(executablePath.toString());
-        commandArgs.addAll(Arrays.asList(args));
+        for (String arg : args) {
+          commandArgs.add(scrub(arg));
+        }
        attributes.put(PROCESS_COMMAND_ARGS, commandArgs);
      } else { // Java 8
        StringBuilder commandLine = new StringBuilder(executablePath);
        for (String arg : runtime.getInputArguments()) {
-          commandLine.append(' ').append(arg);
+          commandLine.append(' ').append(scrub(arg));
        }
        // sun.java.command isn't well document and may not be available on all systems.
        String javaCommand = System.getProperty("sun.java.command");
@ -118,5 +122,9 @@ public final class ProcessResource {
    return Resource.create(attributes.build(), SchemaUrls.V1_24_0);
  }

+  private static String scrub(String argument) {
+    return SCRUB_PATTERN.matcher(argument).replaceFirst("$1***");
+  }
+
  private ProcessResource() {}
 }
--- a/instrumentation/resources/library/src/test/java/io/opentelemetry/instrumentation/resources/ProcessResourceTest.java
+++ b/instrumentation/resources/library/src/test/java/io/opentelemetry/instrumentation/resources/ProcessResourceTest.java
@ -19,32 +19,39 @@ class ProcessResourceTest {
  @Test
  @SetSystemProperty(key = "os.name", value = "Linux 4.12")
  void notWindows() {
-    Resource resource = ProcessResource.buildResource();
-    assertThat(resource.getSchemaUrl()).isEqualTo(SchemaUrls.V1_24_0);
-    Attributes attributes = resource.getAttributes();
-
-    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_PID)).isGreaterThan(1);
-    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
-        .matches(".*[/\\\\]java");
-    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
-        .contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH));
-    // With Java 9+ and a compiled jar, ResourceAttributes.PROCESS_COMMAND_ARGS
-    // will be set instead of ResourceAttributes.PROCESS_COMMAND_LINE
+    assertResource(false);
  }

  @Test
  @SetSystemProperty(key = "os.name", value = "Windows 10")
  void windows() {
+    assertResource(true);
+  }
+
+  private static void assertResource(boolean windows) {
    Resource resource = ProcessResource.buildResource();
    assertThat(resource.getSchemaUrl()).isEqualTo(SchemaUrls.V1_24_0);
    Attributes attributes = resource.getAttributes();

    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_PID)).isGreaterThan(1);
    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
-        .matches(".*[/\\\\]java\\.exe");
-    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
-        .contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH));
+        .matches(windows ? ".*[/\\\\]java\\.exe" : ".*[/\\\\]java");
+
    // With Java 9+ and a compiled jar, ResourceAttributes.PROCESS_COMMAND_ARGS
    // will be set instead of ResourceAttributes.PROCESS_COMMAND_LINE
+    boolean java8 = "1.8".equals(System.getProperty("java.specification.version"));
+    if (java8) {
+      assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
+          .contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
+          .contains("-DtestSecret=***")
+          .contains("-DtestPassword=***")
+          .contains("-DtestNotRedacted=test");
+    } else {
+      assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_ARGS))
+          .contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
+          .contains("-DtestSecret=***")
+          .contains("-DtestPassword=***")
+          .contains("-DtestNotRedacted=test");
+    }
  }
 }
--- a/instrumentation/resources/library/src/test/java/io/opentelemetry/instrumentation/resources/internal/DeclarativeConfigTest.java
+++ b/instrumentation/resources/library/src/test/java/io/opentelemetry/instrumentation/resources/internal/DeclarativeConfigTest.java
@ -31,6 +31,7 @@ class DeclarativeConfigTest {
            + "      value: my-service\n"
            + "tracer_provider:\n";

+    boolean java8 = "1.8".equals(System.getProperty("java.specification.version"));
    OpenTelemetrySdk openTelemetrySdk =
        FileConfiguration.parseAndCreate(
            new ByteArrayInputStream(yaml.getBytes(StandardCharsets.UTF_8)));
@ -56,7 +57,8 @@ class DeclarativeConfigTest {
              assertThat(attributeKeys).contains("os.description");
              assertThat(attributeKeys).contains("os.type");
              // ProcessResourceComponentProvider
-              assertThat(attributeKeys).contains("process.command_line");
+              assertThat(attributeKeys)
+                  .contains(java8 ? "process.command_line" : "process.command_args");
              assertThat(attributeKeys).contains("process.executable.path");
              assertThat(attributeKeys).contains("process.pid");
              // ProcessRuntimeResourceComponentProvider