Skip to content

Commit

Permalink
Add support for sanitizing HTTP header values. (#1253)
Browse files Browse the repository at this point in the history
First step of #1184
  • Loading branch information
Dan Rogers authored Sep 13, 2022
1 parent 56530eb commit 4d341e8
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
([#1199](https://github.com/open-telemetry/opentelemetry-python-contrib/pull/1199))
- Add metric instrumentation in Pyramid
([#1242](https://github.com/open-telemetry/opentelemetry-python-contrib/pull/1242))
- `opentelemetry-util-http` Add support for sanitizing HTTP header values.
([#1253](https://github.com/open-telemetry/opentelemetry-python-contrib/pull/1253))

### Fixed

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,17 @@
# limitations under the License.

from os import environ
from re import IGNORECASE as RE_IGNORECASE
from re import compile as re_compile
from re import search
from typing import Iterable, List
from urllib.parse import urlparse, urlunparse

from opentelemetry.semconv.trace import SpanAttributes

OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SANITIZE_FIELDS = (
"OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SANITIZE_FIELDS"
)
OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SERVER_REQUEST = (
"OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SERVER_REQUEST"
)
Expand Down Expand Up @@ -60,6 +64,22 @@ def url_disabled(self, url: str) -> bool:
return bool(self._excluded_urls and search(self._regex, url))


class SanitizeValue:
"""Class to sanitize (remove sensitive data from) certain headers (given as a list of regexes)"""

def __init__(self, sanitized_fields: Iterable[str]):
self._sanitized_fields = sanitized_fields
if self._sanitized_fields:
self._regex = re_compile("|".join(sanitized_fields), RE_IGNORECASE)

def sanitize_header_value(self, header: str, value: str) -> str:
return (
"[REDACTED]"
if (self._sanitized_fields and search(self._regex, header))
else value
)


_root = r"OTEL_PYTHON_{}"


Expand Down Expand Up @@ -90,7 +110,7 @@ def get_excluded_urls(instrumentation: str) -> ExcludeList:

def parse_excluded_urls(excluded_urls: str) -> ExcludeList:
"""
Small helper to put an arbitrary url list inside of ExcludeList
Small helper to put an arbitrary url list inside an ExcludeList
"""
if excluded_urls:
excluded_url_list = [
Expand Down
44 changes: 44 additions & 0 deletions util/opentelemetry-util-http/tests/test_capture_custom_headers.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,10 @@
from unittest.mock import patch

from opentelemetry.util.http import (
OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SANITIZE_FIELDS,
OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SERVER_REQUEST,
OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SERVER_RESPONSE,
SanitizeValue,
get_custom_headers,
normalise_request_header_name,
normalise_response_header_name,
Expand Down Expand Up @@ -58,6 +60,48 @@ def test_get_custom_response_header(self):
],
)

@patch.dict(
"os.environ",
{
OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SANITIZE_FIELDS: "My-Secret-Header,My-Secret-Header-2"
},
)
def test_get_custom_sanitize_header(self):
sanitized_fields = get_custom_headers(
OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SANITIZE_FIELDS
)
self.assertEqual(
sanitized_fields,
["My-Secret-Header", "My-Secret-Header-2"],
)

@patch.dict(
"os.environ",
{
OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SANITIZE_FIELDS: "My-Secret-Header,My-Secret-Header-2"
},
)
def test_sanitize(self):
sanitized_fields = get_custom_headers(
OTEL_INSTRUMENTATION_HTTP_CAPTURE_HEADERS_SANITIZE_FIELDS
)

sanitize = SanitizeValue(sanitized_fields)

self.assertEqual(
sanitize.sanitize_header_value(
header="My-Secret-Header", value="My-Secret-Value"
),
"[REDACTED]",
)

self.assertEqual(
sanitize.sanitize_header_value(
header="My-Not-Secret-Header", value="My-Not-Secret-Value"
),
"My-Not-Secret-Value",
)

def test_normalise_request_header_name(self):
key = normalise_request_header_name("Test-Header")
self.assertEqual(key, "http.request.header.test_header")
Expand Down

0 comments on commit 4d341e8

Please sign in to comment.