Filter sensitive data by default

Sovietaced · Sovietaced · commit 83c73f24dd14 · 2025-09-14T11:10:29.000-07:00
Signed-off-by: Jason Parraga &lt;sovietaced@gmail.com&gt;
diff --git a/extra/redisotel/config.go b/extra/redisotel/config.go
@@ -1,6 +1,8 @@
 package redisotel
 
 import (
+	"strings"
+
 	"github.com/redis/go-redis/v9"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
@@ -63,6 +65,7 @@ func newConfig(opts ...baseOption) *config {
 		mp:            otel.GetMeterProvider(),
 		dbStmtEnabled: true,
 		callerEnabled: true,
+		filter:        defaultCommandFilter,
 	}
 
 	for _, opt := range opts {
@@ -134,6 +137,29 @@ func WithCommandFilter(filter func(cmd redis.Cmder) bool) TracingOption {
 	})
 }
 
+func defaultCommandFilter(cmd redis.Cmder) bool {
+	if strings.ToLower(cmd.Name()) == "auth" {
+		return true
+	}
+
+	if strings.ToLower(cmd.Name()) == "hello" {
+		if len(cmd.Args()) < 3 {
+			return false
+		}
+
+		arg, exists := cmd.Args()[2].(string)
+		if !exists {
+			return false
+		}
+
+		if strings.ToLower(arg) == "auth" {
+			return true
+		}
+	}
+
+	return false
+}
+
 //------------------------------------------------------------------------------
 
 type MetricsOption interface {
diff --git a/extra/redisotel/tracing_test.go b/extra/redisotel/tracing_test.go
@@ -150,6 +150,78 @@ func TestWithCommandFilter(t *testing.T) {
 			t.Fatal(err)
 		}
 	})
+
+	t.Run("auth command filtered by default", func(t *testing.T) {
+		provider := sdktrace.NewTracerProvider()
+		hook := newTracingHook(
+			"",
+			WithTracerProvider(provider),
+		)
+		ctx, span := provider.Tracer("redis-test").Start(context.TODO(), "redis-test")
+		cmd := redis.NewCmd(ctx, "auth", "test-password")
+		defer span.End()
+
+		processHook := hook.ProcessHook(func(ctx context.Context, cmd redis.Cmder) error {
+			innerSpan := trace.SpanFromContext(ctx).(sdktrace.ReadOnlySpan)
+			if innerSpan.Name() != "redis-test" || innerSpan.Name() == "auth" {
+				t.Fatalf("auth command should not be traced by default")
+			}
+
+			return nil
+		})
+		err := processHook(ctx, cmd)
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("hello command filtered by default when sensitive", func(t *testing.T) {
+		provider := sdktrace.NewTracerProvider()
+		hook := newTracingHook(
+			"",
+			WithTracerProvider(provider),
+		)
+		ctx, span := provider.Tracer("redis-test").Start(context.TODO(), "redis-test")
+		cmd := redis.NewCmd(ctx, "hello", 3, "AUTH", "test-user", "test-password")
+		defer span.End()
+
+		processHook := hook.ProcessHook(func(ctx context.Context, cmd redis.Cmder) error {
+			innerSpan := trace.SpanFromContext(ctx).(sdktrace.ReadOnlySpan)
+			if innerSpan.Name() != "redis-test" || innerSpan.Name() == "hello" {
+				t.Fatalf("auth command should not be traced by default")
+			}
+
+			return nil
+		})
+		err := processHook(ctx, cmd)
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("hello command not filtered by default when not sensitive", func(t *testing.T) {
+		provider := sdktrace.NewTracerProvider()
+		hook := newTracingHook(
+			"",
+			WithTracerProvider(provider),
+		)
+		ctx, span := provider.Tracer("redis-test").Start(context.TODO(), "redis-test")
+		cmd := redis.NewCmd(ctx, "hello", 3)
+		defer span.End()
+
+		processHook := hook.ProcessHook(func(ctx context.Context, cmd redis.Cmder) error {
+			innerSpan := trace.SpanFromContext(ctx).(sdktrace.ReadOnlySpan)
+			if innerSpan.Name() != "hello" {
+				t.Fatalf("hello command should be traced")
+			}
+
+			return nil
+		})
+		err := processHook(ctx, cmd)
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
 }
 
 func TestTracingHook_DialHook(t *testing.T) {
