Ensure clean http url #538
Conversation
Restored aiohttp test due to overwritten test Readded aiohttp url credential test Addressed yarl not found in tornado client in some tests
Readded removed dependency Added dependency for docker test Fixed linting errors Placed yarl dependency and moved common function into utils
Rearranged location of required install Fixed dependency location and linting
resolve pylint Fixed linting and changed return type to str
ryokather
requested review from
a team,
aabmass and
ocelotl
and removed request for
a team
opentelemetry-instrumentation/src/opentelemetry/instrumentation/utils.py
Outdated
Show resolved
Hide resolved
| @@ -60,3 +61,33 @@ def unwrap(obj, attr: str): | |||
| func = getattr(obj, attr, None) | |||
| if func and isinstance(func, ObjectProxy) and hasattr(func, "__wrapped__"): | |||
| setattr(obj, attr, func.__wrapped__) | |||
|
|
|||
There was a problem hiding this comment.
Would this logic be better off here?
There was a problem hiding this comment.
Only thought I had was that it is most similar to the other utility function http_status_to_status_code in the same file and the library you linked is only used by web server instrumentations. However, it might make more logical sense to separate it from the opentelemetry-instrumentation itself. What would you suggest? @lzchen
There was a problem hiding this comment.
I believe the library would be used for all http related instrumentations, it just so happens the logic contained is only used in server instrumentations.
There was a problem hiding this comment.
Sounds good 👍 Just updated with the last remaining suggestions.
|
@ryokather |
|
Should be done! |
Description
This PR fixes issue #367 in which a new specification was established such that http.url, a span attribute, must not contain username or password information for security purposes. This would ensure that URLs passed in the form of
https://username:password@www.example.com/would result in a http span attribute value ofhttps://www.example.com/.This issue was fixed by implementing an additional util function in
util/open-telemetry-httpcalledremove_url_credentials(url: str) -> str. This function utilizes theurllib.parsemodule to cleanly strip a username and password from a given url if present. This fix was applied to the following instrumentations: aiohttp-client, asgi, requests, tornado, urllib, and wsgi. Note that the current implementation of the urllib3 instrumentation would not process the username and password of a url so this logic was not needed.Type of change
How Has This Been Tested?
An additional test called
test_credential_removalwas provided in every instrumentation that sets theHTTP_URLattribute. This includes the instrumentations aiohttp-client, asgi, requests, tornado, urllib, urllib3, and wsgi. Tests were run using tox.Does This PR Require a Core Repo Change?
Checklist:
See contributing.md for styleguide, changelog guidelines, and more.