Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenTelemetry ClientTracingFilter adds credentials to http.url field #18250

Closed
hacst opened this issue Jun 29, 2021 · 3 comments · Fixed by #18971
Closed

OpenTelemetry ClientTracingFilter adds credentials to http.url field #18250

hacst opened this issue Jun 29, 2021 · 3 comments · Fixed by #18971
Assignees
@kenfinnigan
Labels
area/tracing kind/bug Something isn't working
Milestone
2.1.1.Final

Comments

@hacst
Copy link
Contributor

hacst commented Jun 29, 2021

Describe the bug

The http.url attribute ClientTracingFilter sets contains the userinfo portion of the URL to which https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/http.md#common-attributes states "http.url MUST NOT contain credentials passed via URL in form of https://username:[email protected]/."

Quarkus version or git rev

2.0.0.Final
@hacst hacst added the kind/bug Something isn't working label Jun 29, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Jun 29, 2021

/cc @Ladicek, @kenfinnigan

@kenfinnigan kenfinnigan changed the title opentelemetry ClientTracingFilter adds credentials to http.url field OpenTelemetry ClientTracingFilter adds credentials to http.url field Jun 29, 2021
@kenfinnigan
Copy link
Member

Is it "safe" to look for @ and exclude everything before it?

@hacst
Copy link
Contributor Author

hacst commented Jul 12, 2021

If an @ is present dropping everything between the first // up to and including the @ should be correct. At least that's my reading of https://en.wikipedia.org/wiki/Uniform_Resource_Identifier#Syntax to get rid of the userinfo portion.

kenfinnigan added a commit to kenfinnigan/quarkus that referenced this issue Jul 23, 2021
@kenfinnigan
Filter HTTP URL for client spans
b4b7f84 
- Fixes quarkusio#18250
- Remove UserInfo portion of HTTP URL, if present
@kenfinnigan kenfinnigan mentioned this issue Jul 23, 2021
Merged
@kenfinnigan kenfinnigan added this to the 2.2 - main milestone Jul 23, 2021
@kenfinnigan kenfinnigan self-assigned this Jul 23, 2021
@gsmet gsmet modified the milestones: 2.2 - main, 2.1.1.Final Aug 3, 2021
gsmet pushed a commit to gsmet/quarkus that referenced this issue Aug 3, 2021
@kenfinnigan @gsmet
Filter HTTP URL for client spans
1f71024 
- Fixes quarkusio#18250
- Remove UserInfo portion of HTTP URL, if present

(cherry picked from commit b4b7f84)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kenfinnigan kenfinnigan

Labels
area/tracing kind/bug Something isn't working
Projects
None yet
Milestone
2.1.1.Final
Development

Successfully merging a pull request may close this issue.

Filter HTTP URL for client spans kenfinnigan/quarkus
3 participants
@hacst @kenfinnigan @gsmet