Redact specific url query string values and url credentials by default in instrumentations

Author: rads-1996

util/opentelemetry-util-http/src/opentelemetry/util/http/__init__.py

@@ -58,6 +58,7 @@
     SpanAttributes.HTTP_SERVER_NAME,
 }
 
+PARAMS_TO_REDACT = ["AWSAccessKeyId", "Signature", "sig", "X-Goog-Signature"]
 
 class ExcludeList:
     """Class to exclude certain paths (given as a list of regexes) from tracing requests"""
@@ -160,22 +161,23 @@ def parse_excluded_urls(excluded_urls: str) -> ExcludeList:
 
 def remove_url_credentials(url: str) -> str:
     """Given a string url, remove the username and password only if it is a valid url"""
-
+    # Modifying current functionality of removing url credentials and instead replacing the username and password with the keyword "REDACTED" as per the semantic conventions for http-spans (https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md)
     try:
         parsed = urlparse(url)
         if all([parsed.scheme, parsed.netloc]):  # checks for valid url
-            parsed_url = urlparse(url)
-            _, _, netloc = parsed.netloc.rpartition("@")
-            return urlunparse(
-                (
-                    parsed_url.scheme,
-                    netloc,
-                    parsed_url.path,
-                    parsed_url.params,
-                    parsed_url.query,
-                    parsed_url.fragment,
+            if '@' in parsed.netloc:
+                _, _, host = parsed.netloc.rpartition("@")
+                new_netloc = "REDACTED:REDACTED@" + host
+                return urlunparse(
+                    (
+                        parsed.scheme,
+                        new_netloc,
+                        parsed.path,
+                        parsed.params,
+                        parsed.query,
+                        parsed.fragment,
+                    )
                 )
-            )
     except ValueError:  # an unparsable url was passed
         pass
     return url
@@ -255,3 +257,43 @@ def _parse_url_query(url: str):
     path = parsed_url.path
     query_params = parsed_url.query
     return path, query_params
+
+def redact_query_parameters(url: str) -> str:
+    """Given a string url, redact sensitive query parameter values"""
+    try:
+        parsed = urlparse(url)
+        if not parsed.query:  # No query parameters to redact
+            return url
+            
+        # Check if any of the sensitive parameters are in the query
+        has_sensitive_params = any(param + "=" in parsed.query for param in PARAMS_TO_REDACT)
+        if not has_sensitive_params:
+            return url
+            
+        # Process query parameters
+        query_parts: list[str] = []
+        for query_part in parsed.query.split("&"):
+            if "=" in query_part:
+                param_name, _ = query_part.split("=", 1) # Parameter name and value
+                if param_name in PARAMS_TO_REDACT:
+                    query_parts.append(f"{param_name}=REDACTED")
+                else:
+                    query_parts.append(query_part)
+            else:
+                query_parts.append(query_part)  # Handle params with no value
+                
+        # Reconstruct the URL with redacted query parameters
+        redacted_query = "&".join(query_parts)
+        return urlunparse(
+            (
+                parsed.scheme,
+                parsed.netloc,
+                parsed.path,
+                parsed.params,
+                redacted_query,
+                parsed.fragment,
+            )
+        )
+    except ValueError:  # an unparsable url was passed
+        pass
+    return url

util/opentelemetry-util-http/tests/test_redact_query_parameters.py

@@ -0,0 +1,51 @@
+import unittest
+from opentelemetry.util.http import redact_query_parameters
+
+class TestRedactSensitiveInfo(unittest.TestCase):
+    def test_redact_goog_signature(self):
+        url = "https://www.example.com/path?color=blue&X-Goog-Signature=secret"
+        self.assertEqual(redact_query_parameters(url), "https://www.example.com/path?color=blue&X-Goog-Signature=REDACTED")
+    
+    def test_no_redaction_needed(self):
+        url = "https://www.example.com/path?color=blue&query=secret"
+        self.assertEqual(redact_query_parameters(url), "https://www.example.com/path?color=blue&query=secret")
+    
+    def test_no_query_parameters(self):
+        url = "https://www.example.com/path"
+        self.assertEqual(redact_query_parameters(url), "https://www.example.com/path")
+    
+    def test_empty_query_string(self):
+        url = "https://www.example.com/path?"
+        self.assertEqual(redact_query_parameters(url), "https://www.example.com/path?")
+    
+    def test_empty_url(self):
+        url = ""
+        self.assertEqual(redact_query_parameters(url), "")
+    
+    def test_redact_aws_access_key_id(self):
+        url = "https://www.example.com/path?color=blue&AWSAccessKeyId=secrets" 
+        self.assertEqual(redact_query_parameters(url), "https://www.example.com/path?color=blue&AWSAccessKeyId=REDACTED")
+    
+    def test_api_key_not_in_redact_list(self):
+        url = "https://www.example.com/path?api_key=secret%20key&user=john"
+        self.assertNotEqual(redact_query_parameters(url), "https://www.example.com/path?api_key=REDACTED&user=john")
+    
+    def test_password_key_not_in_redact_list(self):
+        url = "https://api.example.com?key=abc&password=123&user=admin"
+        self.assertNotEqual(redact_query_parameters(url), "https://api.example.com?key=REDACTED&password=REDACTED&user=admin")
+    
+    def test_url_with_at_symbol_in_path_and_query(self):
+        url = "https://github.com/p@th?foo=b@r"
+        self.assertEqual(redact_query_parameters(url), "https://github.com/p@th?foo=b@r")
+    
+    def test_aws_access_key_with_real_format(self):
+        url = "https://microsoft.com?AWSAccessKeyId=AKIAIOSFODNN7" 
+        self.assertEqual(redact_query_parameters(url), "https://microsoft.com?AWSAccessKeyId=REDACTED")
+    
+    def test_signature_parameter(self):
+        url = "https://service.com?sig=39Up9jzHkxhuIhFE9594DJxe7w6cIRCg0V6ICGS0" 
+        self.assertEqual(redact_query_parameters(url), "https://service.com?sig=REDACTED")
+    
+    def test_signature_with_url_encoding(self):
+        url = "https://service.com?Signature=39Up9jzHkxhuIhFE9594DJxe7w6cIRCg0V6ICGS0%3A377" 
+        self.assertEqual(redact_query_parameters(url), "https://service.com?Signature=REDACTED")

util/opentelemetry-util-http/tests/test_remove_credentials.py

@@ -13,19 +13,25 @@ def test_remove_credentials(self):
         url = "http://someuser:[email protected]:8080/test/path?query=value"
         cleaned_url = remove_url_credentials(url)
         self.assertEqual(
-            cleaned_url, "http://opentelemetry.io:8080/test/path?query=value"
+            cleaned_url, "http://REDACTED:REDACTED@opentelemetry.io:8080/test/path?query=value"
         )
 
     def test_remove_credentials_ipv4_literal(self):
         url = "http://someuser:[email protected]:8080/test/path?query=value"
         cleaned_url = remove_url_credentials(url)
         self.assertEqual(
-            cleaned_url, "http://127.0.0.1:8080/test/path?query=value"
+            cleaned_url, "http://REDACTED:REDACTED@127.0.0.1:8080/test/path?query=value"
         )
 
     def test_remove_credentials_ipv6_literal(self):
         url = "http://someuser:somepass@[::1]:8080/test/path?query=value"
         cleaned_url = remove_url_credentials(url)
         self.assertEqual(
-            cleaned_url, "http://[::1]:8080/test/path?query=value"
+            cleaned_url, "http://REDACTED:REDACTED@[::1]:8080/test/path?query=value"
         )
+
+    def test_empty_url(self):
+        url = ""
+        cleaned_url = remove_url_credentials(url)
+        self.assertEqual(cleaned_url, url)
+