fix(debugger): redact mappings with bytes keys [backport 3.11] (#14222)

dd-octo-sts[bot] · P403n1x87 · web-flow · commit a1380af29ccd · 2025-08-12T13:40:18.000Z
Backport 48b4f55 from #14200 to 3.11. We extend the redaction logic to include the case of mappings whose keys are of type bytes. Resolves #14199. ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting) Co-authored-by: Gabriele N. Tornetta <P403n1x87@users.noreply.github.com>
diff --git a/ddtrace/debugging/_redaction.py b/ddtrace/debugging/_redaction.py
@@ -1,3 +1,5 @@
+import typing as t
+
 from ddtrace.debugging._expressions import DDCompiler
 from ddtrace.debugging._expressions import DDExpression
 from ddtrace.internal.logger import get_logger
@@ -108,8 +110,8 @@
 
 
 @cached()
-def redact(ident: str) -> bool:
-    normalized = normalize_ident(ident)
+def redact(ident: t.Union[str, bytes]) -> bool:
+    normalized = normalize_ident(ident if isinstance(ident, str) else ident.decode("utf-8", errors="replace"))
     return normalized in REDACTED_IDENTIFIERS and normalized not in config.redaction_excluded_identifiers
 
 
@@ -135,7 +137,7 @@ def __getmember__(cls, s, a):
 
     @classmethod
     def __index__(cls, o, i):
-        if isinstance(i, str) and redact(i):
+        if isinstance(i, (str, bytes)) and redact(i):
             raise DDRedactedExpressionError(f"Access to entry {i!r} is not allowed")
 
         return super().__index__(o, i)
diff --git a/ddtrace/debugging/_signal/utils.py b/ddtrace/debugging/_signal/utils.py
@@ -109,7 +109,7 @@ def serialize(
                 ": ".join(
                     (
                         serialize(_, level - 1, maxsize, maxlen, maxfields)
-                        for _ in (k, v if not (_isinstance(k, str) and redact(k)) else REDACTED_PLACEHOLDER)
+                        for _ in (k, v if not (_isinstance(k, (str, bytes)) and redact(k)) else REDACTED_PLACEHOLDER)
                     )
                 )
                 for k, v in islice(value.items(), maxsize)
@@ -279,7 +279,7 @@ def capture_value(
                         maxfields=maxfields,
                         stopping_cond=cond,
                     )
-                    if not (_isinstance(k, str) and redact(k))
+                    if not (_isinstance(k, (str, bytes)) and redact(k))
                     else redacted_value(v),
                 )
                 for k, v in takewhile(lambda _: not cond(_), islice(value.items(), maxsize))
diff --git a/releasenotes/notes/fix-debugger-bytes-redaction-995465f862921d64.yaml b/releasenotes/notes/fix-debugger-bytes-redaction-995465f862921d64.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    dynamic instrumentation: extended captured value redaction in mappings with
+    keys of type ``bytes``.
diff --git a/tests/debugging/test_debugger.py b/tests/debugging/test_debugger.py
@@ -1160,7 +1160,8 @@ def test_debugger_redacted_identifiers():
 
         assert (
             msg_line["message"] == f"token={REDACTED} answer=42 "
-            f"pii_dict={{'jwt': '{REDACTED}', 'password': '{REDACTED}', 'username': 'admin'}} "
+            f"pii_dict={{'jwt': '{REDACTED}', 'password': '{REDACTED}', 'username': 'admin', "
+            f"b'authorization': '{REDACTED}'}} "
             f"pii_dict['jwt']={REDACTED}"
         )
 
@@ -1179,8 +1180,9 @@ def test_debugger_redacted_identifiers():
                         [{"type": "str", "value": "'jwt'"}, redacted_value(str())],
                         [{"type": "str", "value": "'password'"}, redacted_value(str())],
                         [{"type": "str", "value": "'username'"}, {"type": "str", "value": "'admin'"}],
+                        [{"type": "bytes", "value": "b'authorization'"}, redacted_value(str())],
                     ],
-                    "size": 3,
+                    "size": 4,
                 },
             },
             "staticFields": {},
@@ -1207,8 +1209,12 @@ def test_debugger_redacted_identifiers():
                                 {"type": "str", "notCapturedReason": "redactedIdent"},
                             ],
                             [{"type": "str", "value": "'username'"}, {"type": "str", "value": "'admin'"}],
+                            [
+                                {"type": "bytes", "value": "b'authorization'"},
+                                {"type": "str", "notCapturedReason": "redactedIdent"},
+                            ],
                         ],
-                        "size": 3,
+                        "size": 4,
                     },
                     "@return": {"type": "str", "value": "'top secret'"},  # TODO: Ouch!
                 },
@@ -1254,7 +1260,8 @@ def test_debugger_redaction_excluded_identifiers():
         # Only the token value be visible now because it's explicitly excluded from redaction
         assert (
             msg_line["message"] == f"token='deadbeef' answer=42 "
-            f"pii_dict={{'jwt': '{REDACTED}', 'password': '{REDACTED}', 'username': 'admin'}} "
+            f"pii_dict={{'jwt': '{REDACTED}', 'password': '{REDACTED}', 'username': 'admin', "
+            f"b'authorization': '{REDACTED}'}} "
             f"pii_dict['jwt']={REDACTED}"
         )
 
diff --git a/tests/submod/stuff.py b/tests/submod/stuff.py
@@ -165,5 +165,5 @@ def __init__(self):
 
 def sensitive_stuff(pwd):
     token, answer, data = "deadbeef", 42, SensitiveData()  # noqa:F841
-    pii_dict = {"jwt": "deadbeef", "password": "hunter2", "username": "admin"}  # noqa:F841
+    pii_dict = {"jwt": "deadbeef", "password": "hunter2", "username": "admin", b"authorization": "shh"}  # noqa
     return pwd

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ def serialize(`
`109`	`109`	`": ".join(`
`110`	`110`	`(`
`111`	`111`	`serialize(_, level - 1, maxsize, maxlen, maxfields)`
`112`		`- for _ in (k, v if not (_isinstance(k, str) and redact(k)) else REDACTED_PLACEHOLDER)`
	`112`	`+ for _ in (k, v if not (_isinstance(k, (str, bytes)) and redact(k)) else REDACTED_PLACEHOLDER)`
`113`	`113`	`)`
`114`	`114`	`)`
`115`	`115`	`for k, v in islice(value.items(), maxsize)`
`@@ -279,7 +279,7 @@ def capture_value(`
`279`	`279`	`maxfields=maxfields,`
`280`	`280`	`stopping_cond=cond,`
`281`	`281`	`)`
`282`		`- if not (_isinstance(k, str) and redact(k))`
	`282`	`+ if not (_isinstance(k, (str, bytes)) and redact(k))`
`283`	`283`	`else redacted_value(v),`
`284`	`284`	`)`
`285`	`285`	`for k, v in takewhile(lambda _: not cond(_), islice(value.items(), maxsize))`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    dynamic instrumentation: extended captured value redaction in mappings with
 +    keys of type ``bytes``.