-
Notifications
You must be signed in to change notification settings - Fork 888
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http.url MUST NOT contain credentials #1502
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you mind updating changelog with this change?
Done 1bcdc0b |
cc @cijothomas for the OTel.NET SDK mention |
semantic_conventions/trace/http.yaml
Outdated
@@ -16,6 +16,9 @@ groups: | |||
brief: > | |||
Full HTTP request URL in the form `scheme://host[:port]/path?query[#fragment]`. | |||
Usually the fragment is not transmitted over HTTP, but if it is known, it should be included nevertheless. | |||
note: > | |||
`http.url` MUST NOT contain the password if it is passed via URL in form of `https://username:password@www.example.com/`. | |||
In such case the attribute's value can be set as `https://username:@www.example.com/` or `https://www.example.com/`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest going with a more strict rule and require stripping everything before @
. If people want username they can always add it separately, but logging username by default could be a huge privacy concern given recent EU regulations like ePD.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, GDPR etc. It would be compatible with https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/span-general.md#general-identity-attributes:
Given the sensitive nature of this information, SDKs and exporters SHOULD drop these attributes by default and then provide a configuration parameter to turn on retention for use cases where the information is required and would not violate any policies or regulations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yurishkuro
Addressed.
Could you please double-check?
I understand because of sensitivity of info we have to clear everything but for enduser it won't be evident that URL was containing username and password when it got here. Instead if we have redacted version like If we don't go with redacted version it might cause ambiguity for someone checking if url contains creds or not because in span with creds and without creds will be same. options: |
Regarding Option 1: I suggest NOT to redact it to
Option 2 is better. However, I think such an attribute would HAVE TO be optional (disabled by default) in order to make sure that the default configuration is as secure as possible. |
At the point where it reaches your instrumentation/exporter/... code it has already been processed (e.g. the HTTP request containing it has been parsed). IANAL, but I would be extremely surprised if the additional "processing" of doing anonymization would be a GDPR problem in itself (if the processing to get it to the point where you can anonymize it wasn't already). |
I am fine option 2 as well but just want to clarify
|
@veera83372 I understand. My biggest concern is:
@Oberon00 |
👍 I agree. But my understanding of the |
This is what @yurishkuro Do you think what I write here makes sense? |
Why
Example request's URL:
https://username:password@example.com:8080/path/to/file.aspx?query=1#fragment
What is the expected attribute's value in such a case? For sure we should not pass the password. The username should not there as well per #1502 (comment).
Why do I think it is important? Because I saw this in OTel .NET SDK: https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Instrumentation.Http/Implementation/HttpHandlerDiagnosticListener.cs#L115
Reference:
What
Mandate to get rid of username (thanks to @yurishkuro) and password if it is present in the URL.