fix(ci_visibility): sanitize GITHUB_SERVER_URL env var when parsing GitHub CI env [backport 1.20] (#7600)

Backport a599002 from #7583 to 1.20.

This fixes prevents potential credentials in GITHUB_SERVER_URL env vars
from leaking into the `_dd.ci.env_vars` tag.

## Checklist

- [x] Change(s) are motivated and described in the PR description.
- [x] Testing strategy is described if automated tests are not included
in the PR.
- [x] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed. If no release note is required, add label
`changelog/no-changelog`.
- [x] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [x] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
- [x] If this PR touches code that signs or publishes builds or
packages, or handles credentials of any kind, I've requested a review
from `@DataDog/security-design-and-guidance`.
- [x] This PR doesn't touch any of that.

Co-authored-by: Romain Komorn <[email protected]>
Co-authored-by: Munir Abdinur <[email protected]>

Author: 3 people

ddtrace/ext/ci.py

@@ -337,31 +337,33 @@ def extract_github_actions(env):
     # type: (MutableMapping[str, str]) -> Dict[str, Optional[str]]
     """Extract CI tags from Github environ."""
 
+    github_server_url = _filter_sensitive_info(env.get("GITHUB_SERVER_URL"))
+    github_repository = env.get("GITHUB_REPOSITORY")
+    git_commit_sha = env.get("GITHUB_SHA")
+    github_run_id = env.get("GITHUB_RUN_ID")
+    run_attempt = env.get("GITHUB_RUN_ATTEMPT")
+
     pipeline_url = "{0}/{1}/actions/runs/{2}".format(
-        env.get("GITHUB_SERVER_URL"),
-        env.get("GITHUB_REPOSITORY"),
-        env.get("GITHUB_RUN_ID"),
+        github_server_url,
+        github_repository,
+        github_run_id,
     )
-    run_attempt = env.get("GITHUB_RUN_ATTEMPT")
-    if run_attempt:
-        pipeline_url = "{0}/attempts/{1}".format(pipeline_url, run_attempt)
 
     env_vars = {
-        "GITHUB_SERVER_URL": env.get("GITHUB_SERVER_URL"),
-        "GITHUB_REPOSITORY": env.get("GITHUB_REPOSITORY"),
-        "GITHUB_RUN_ID": env.get("GITHUB_RUN_ID"),
+        "GITHUB_SERVER_URL": github_server_url,
+        "GITHUB_REPOSITORY": github_repository,
+        "GITHUB_RUN_ID": github_run_id,
     }
-    if env.get("GITHUB_RUN_ATTEMPT") is not None:
-        env_vars["GITHUB_RUN_ATTEMPT"] = env["GITHUB_RUN_ATTEMPT"]
+    if run_attempt:
+        env_vars["GITHUB_RUN_ATTEMPT"] = run_attempt
+        pipeline_url = "{0}/attempts/{1}".format(pipeline_url, run_attempt)
 
     return {
         git.BRANCH: env.get("GITHUB_HEAD_REF") or env.get("GITHUB_REF"),
-        git.COMMIT_SHA: env.get("GITHUB_SHA"),
-        git.REPOSITORY_URL: "{0}/{1}.git".format(env.get("GITHUB_SERVER_URL"), env.get("GITHUB_REPOSITORY")),
-        JOB_URL: "{0}/{1}/commit/{2}/checks".format(
-            env.get("GITHUB_SERVER_URL"), env.get("GITHUB_REPOSITORY"), env.get("GITHUB_SHA")
-        ),
-        PIPELINE_ID: env.get("GITHUB_RUN_ID"),
+        git.COMMIT_SHA: git_commit_sha,
+        git.REPOSITORY_URL: "{0}/{1}.git".format(github_server_url, github_repository),
+        JOB_URL: "{0}/{1}/commit/{2}/checks".format(github_server_url, github_repository, git_commit_sha),
+        PIPELINE_ID: github_run_id,
         PIPELINE_NAME: env.get("GITHUB_WORKFLOW"),
         PIPELINE_NUMBER: env.get("GITHUB_RUN_NUMBER"),
         PIPELINE_URL: pipeline_url,

releasenotes/notes/ci_visibility-fix-sanitize-github-server-urls-8988b407b68afac7.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    CI Visibility: fixes the fact that the GITHUB_SERVER_URL environment variable was not being sanitized for
+    credentials

tests/tracer/fixtures/ci/github.json

@@ -352,6 +352,174 @@
       "git.tag": "0.1.0"
     }
   ],
+  [
+    {
+      "GITHUB_ACTION": "run",
+      "GITHUB_JOB": "github-job-name",
+      "GITHUB_REF": "origin/tags/0.1.0",
+      "GITHUB_REPOSITORY": "ghactions-repo",
+      "GITHUB_RUN_ID": "ghactions-pipeline-id",
+      "GITHUB_RUN_NUMBER": "ghactions-pipeline-number",
+      "GITHUB_SERVER_URL": "https://github.com",
+      "GITHUB_SHA": "ghactions-commit",
+      "GITHUB_WORKFLOW": "ghactions-pipeline-name",
+      "GITHUB_WORKSPACE": "/foo/bar"
+    },
+    {
+      "_dd.ci.env_vars": "{\"GITHUB_SERVER_URL\":\"https://github.com\",\"GITHUB_REPOSITORY\":\"ghactions-repo\",\"GITHUB_RUN_ID\":\"ghactions-pipeline-id\"}",
+      "ci.job.name": "github-job-name",
+      "ci.job.url": "https://github.com/ghactions-repo/commit/ghactions-commit/checks",
+      "ci.pipeline.id": "ghactions-pipeline-id",
+      "ci.pipeline.name": "ghactions-pipeline-name",
+      "ci.pipeline.number": "ghactions-pipeline-number",
+      "ci.pipeline.url": "https://github.com/ghactions-repo/actions/runs/ghactions-pipeline-id",
+      "ci.provider.name": "github",
+      "ci.workspace_path": "/foo/bar",
+      "git.commit.sha": "ghactions-commit",
+      "git.repository_url": "https://github.com/ghactions-repo.git",
+      "git.tag": "0.1.0"
+    }
+  ],
+  [
+    {
+      "GITHUB_ACTION": "run",
+      "GITHUB_JOB": "github-job-name",
+      "GITHUB_REF": "origin/tags/0.1.0",
+      "GITHUB_REPOSITORY": "ghactions-repo",
+      "GITHUB_RUN_ID": "ghactions-pipeline-id",
+      "GITHUB_RUN_NUMBER": "ghactions-pipeline-number",
+      "GITHUB_SERVER_URL": "https://user:[email protected]",
+      "GITHUB_SHA": "ghactions-commit",
+      "GITHUB_WORKFLOW": "ghactions-pipeline-name",
+      "GITHUB_WORKSPACE": "/foo/bar"
+    },
+    {
+      "_dd.ci.env_vars": "{\"GITHUB_SERVER_URL\":\"https://github.com\",\"GITHUB_REPOSITORY\":\"ghactions-repo\",\"GITHUB_RUN_ID\":\"ghactions-pipeline-id\"}",
+      "ci.job.name": "github-job-name",
+      "ci.job.url": "https://github.com/ghactions-repo/commit/ghactions-commit/checks",
+      "ci.pipeline.id": "ghactions-pipeline-id",
+      "ci.pipeline.name": "ghactions-pipeline-name",
+      "ci.pipeline.number": "ghactions-pipeline-number",
+      "ci.pipeline.url": "https://github.com/ghactions-repo/actions/runs/ghactions-pipeline-id",
+      "ci.provider.name": "github",
+      "ci.workspace_path": "/foo/bar",
+      "git.commit.sha": "ghactions-commit",
+      "git.repository_url": "https://github.com/ghactions-repo.git",
+      "git.tag": "0.1.0"
+    }
+  ],
+  [
+    {
+      "GITHUB_ACTION": "run",
+      "GITHUB_JOB": "github-job-name",
+      "GITHUB_REF": "origin/tags/0.1.0",
+      "GITHUB_REPOSITORY": "ghactions-repo",
+      "GITHUB_RUN_ID": "ghactions-pipeline-id",
+      "GITHUB_RUN_NUMBER": "ghactions-pipeline-number",
+      "GITHUB_SERVER_URL": "https://[email protected]",
+      "GITHUB_SHA": "ghactions-commit",
+      "GITHUB_WORKFLOW": "ghactions-pipeline-name",
+      "GITHUB_WORKSPACE": "/foo/bar"
+    },
+    {
+      "_dd.ci.env_vars": "{\"GITHUB_SERVER_URL\":\"https://github.com\",\"GITHUB_REPOSITORY\":\"ghactions-repo\",\"GITHUB_RUN_ID\":\"ghactions-pipeline-id\"}",
+      "ci.job.name": "github-job-name",
+      "ci.job.url": "https://github.com/ghactions-repo/commit/ghactions-commit/checks",
+      "ci.pipeline.id": "ghactions-pipeline-id",
+      "ci.pipeline.name": "ghactions-pipeline-name",
+      "ci.pipeline.number": "ghactions-pipeline-number",
+      "ci.pipeline.url": "https://github.com/ghactions-repo/actions/runs/ghactions-pipeline-id",
+      "ci.provider.name": "github",
+      "ci.workspace_path": "/foo/bar",
+      "git.commit.sha": "ghactions-commit",
+      "git.repository_url": "https://github.com/ghactions-repo.git",
+      "git.tag": "0.1.0"
+    }
+  ],
+  [
+    {
+      "GITHUB_ACTION": "run",
+      "GITHUB_JOB": "github-job-name",
+      "GITHUB_REF": "origin/tags/0.1.0",
+      "GITHUB_REPOSITORY": "ghactions-repo",
+      "GITHUB_RUN_ID": "ghactions-pipeline-id",
+      "GITHUB_RUN_NUMBER": "ghactions-pipeline-number",
+      "GITHUB_SERVER_URL": "https://user:[email protected]:1234",
+      "GITHUB_SHA": "ghactions-commit",
+      "GITHUB_WORKFLOW": "ghactions-pipeline-name",
+      "GITHUB_WORKSPACE": "/foo/bar"
+    },
+    {
+      "_dd.ci.env_vars": "{\"GITHUB_SERVER_URL\":\"https://github.com:1234\",\"GITHUB_REPOSITORY\":\"ghactions-repo\",\"GITHUB_RUN_ID\":\"ghactions-pipeline-id\"}",
+      "ci.job.name": "github-job-name",
+      "ci.job.url": "https://github.com:1234/ghactions-repo/commit/ghactions-commit/checks",
+      "ci.pipeline.id": "ghactions-pipeline-id",
+      "ci.pipeline.name": "ghactions-pipeline-name",
+      "ci.pipeline.number": "ghactions-pipeline-number",
+      "ci.pipeline.url": "https://github.com:1234/ghactions-repo/actions/runs/ghactions-pipeline-id",
+      "ci.provider.name": "github",
+      "ci.workspace_path": "/foo/bar",
+      "git.commit.sha": "ghactions-commit",
+      "git.repository_url": "https://github.com:1234/ghactions-repo.git",
+      "git.tag": "0.1.0"
+    }
+  ],
+  [
+    {
+      "GITHUB_ACTION": "run",
+      "GITHUB_JOB": "github-job-name",
+      "GITHUB_REF": "origin/tags/0.1.0",
+      "GITHUB_REPOSITORY": "ghactions-repo",
+      "GITHUB_RUN_ID": "ghactions-pipeline-id",
+      "GITHUB_RUN_NUMBER": "ghactions-pipeline-number",
+      "GITHUB_SERVER_URL": "https://user:[email protected]",
+      "GITHUB_SHA": "ghactions-commit",
+      "GITHUB_WORKFLOW": "ghactions-pipeline-name",
+      "GITHUB_WORKSPACE": "/foo/bar"
+    },
+    {
+      "_dd.ci.env_vars": "{\"GITHUB_SERVER_URL\":\"https://1.1.1.1\",\"GITHUB_REPOSITORY\":\"ghactions-repo\",\"GITHUB_RUN_ID\":\"ghactions-pipeline-id\"}",
+      "ci.job.name": "github-job-name",
+      "ci.job.url": "https://1.1.1.1/ghactions-repo/commit/ghactions-commit/checks",
+      "ci.pipeline.id": "ghactions-pipeline-id",
+      "ci.pipeline.name": "ghactions-pipeline-name",
+      "ci.pipeline.number": "ghactions-pipeline-number",
+      "ci.pipeline.url": "https://1.1.1.1/ghactions-repo/actions/runs/ghactions-pipeline-id",
+      "ci.provider.name": "github",
+      "ci.workspace_path": "/foo/bar",
+      "git.commit.sha": "ghactions-commit",
+      "git.repository_url": "https://1.1.1.1/ghactions-repo.git",
+      "git.tag": "0.1.0"
+    }
+  ],
+  [
+    {
+      "GITHUB_ACTION": "run",
+      "GITHUB_JOB": "github-job-name",
+      "GITHUB_REF": "origin/tags/0.1.0",
+      "GITHUB_REPOSITORY": "ghactions-repo",
+      "GITHUB_RUN_ID": "ghactions-pipeline-id",
+      "GITHUB_RUN_NUMBER": "ghactions-pipeline-number",
+      "GITHUB_SERVER_URL": "https://user:[email protected]:1234",
+      "GITHUB_SHA": "ghactions-commit",
+      "GITHUB_WORKFLOW": "ghactions-pipeline-name",
+      "GITHUB_WORKSPACE": "/foo/bar"
+    },
+    {
+      "_dd.ci.env_vars": "{\"GITHUB_SERVER_URL\":\"https://1.1.1.1:1234\",\"GITHUB_REPOSITORY\":\"ghactions-repo\",\"GITHUB_RUN_ID\":\"ghactions-pipeline-id\"}",
+      "ci.job.name": "github-job-name",
+      "ci.job.url": "https://1.1.1.1:1234/ghactions-repo/commit/ghactions-commit/checks",
+      "ci.pipeline.id": "ghactions-pipeline-id",
+      "ci.pipeline.name": "ghactions-pipeline-name",
+      "ci.pipeline.number": "ghactions-pipeline-number",
+      "ci.pipeline.url": "https://1.1.1.1:1234/ghactions-repo/actions/runs/ghactions-pipeline-id",
+      "ci.provider.name": "github",
+      "ci.workspace_path": "/foo/bar",
+      "git.commit.sha": "ghactions-commit",
+      "git.repository_url": "https://1.1.1.1:1234/ghactions-repo.git",
+      "git.tag": "0.1.0"
+    }
+  ],
   [
     {
       "GITHUB_ACTION": "run",