chore: sanitize http.url attribute values #3487
Conversation
|
|
|
i'm not sure what i need to do - i accepted as an individual contributor for the cla, but it says it is not enabled for this project. |
|
Are you signing the CLA with the email used to commit? |
daniel-white
force-pushed
the
chore/sanitize-url
branch
3 times, most recently
from
89aea3a
to
e74790b
Compare
| it('should return the input string when the value is not a valid url', () => { | ||
| const out = sanitizeAttribute( | ||
| SemanticAttributes.HTTP_URL, | ||
| 'invalid url' | ||
| ); | ||
|
|
||
| assert.strictEqual(out, 'invalid url'); | ||
| }); |
There was a problem hiding this comment.
Can you add to the test log message validations?
| let copyVal: AttributeValue; | ||
|
|
||
| if (Array.isArray(val)) { | ||
| copyVal = val.slice(); |
There was a problem hiding this comment.
In this case, we also want to return, no?
| if (!isValidPrimitiveAttributeValue(val)) { | ||
| diag.warn( | ||
| `Invalid attribute value set for key: ${SemanticAttributes.HTTP_URL}. Unable to sanitize complex value.` | ||
| ); | ||
|
|
||
| out = val; | ||
|
|
||
| return out; | ||
| } |
There was a problem hiding this comment.
why do you need to check that if you only accept strings?
There was a problem hiding this comment.
the URL constructor only takes a string or other URL instances.
|
thanks @osherv for the review - i'm working on your feedback. do you have any tips on how that i can debug in vscode? |
|
@daniel-white sure! unfortunately i'm working in Webstorm, i can help you debug with Webstorm 😅 |
daniel-white
force-pushed
the
chore/sanitize-url
branch
3 times, most recently
from
90a1bc7
to
6b9e85e
Compare
|
i know my tests/lint are failing. however, i'd like to confirm that this is the pattern you all would like to go with |
There was a problem hiding this comment.
Sorry for the late review. Thank you for working on this!
However, as the attribute http.url is part of the semantic conventions, but not part of the Trace SDK specification, I believe it would be more straightforward and performant to explicitly sanitize the credentials of the semantic convention attribute http.url in the instrumentations instead.
We can still export sanitizeHttpUrl in @opentelemetry/core to reduce duplications.
| @@ -94,3 +122,34 @@ function isValidPrimitiveAttributeValue(val: unknown): boolean { | |||
|
|
|||
| return false; | |||
| } | |||
|
|
|||
| function sanitizeHttpUrl(val: AttributeValue): AttributeValue | undefined { | |||
There was a problem hiding this comment.
Would this return undefined?
| @@ -279,7 +285,7 @@ export class Span implements api.Span, ReadableSpan { | |||
| * @param value Attribute value | |||
| * @returns truncated attribute value if required, otherwise same value | |||
| */ | |||
| private _truncateToSize(value: SpanAttributeValue): SpanAttributeValue { | |||
There was a problem hiding this comment.
In the SDK, we still keep the deprecated SpanAttributeValue because the SDK is required to support the older version of @opentelemetry/api.
Would you mind reverting these unrelated changes? Thank you!
| describe('http.url', () => { | ||
| it('should remove username and password from the url', () => { | ||
| const out = sanitizeAttribute( | ||
| SemanticAttributes.HTTP_URL, |
There was a problem hiding this comment.
Would you mind converting those test cases into table-based tests to reduce the repetition between tests?
const testData = [
{
name: 'should remove username and password from the url',
input: 'http://user:pass@host:9000/path?query#fragment',
expect: 'http://host:9000/path?query#fragment',
},
...
];
for (const item of testData) {
it(item.name, () => {
...
});
}There was a problem hiding this comment.
sure that would be possible.
| let out: AttributeValue | undefined; | ||
|
|
||
| if (typeof val !== 'string') { | ||
| diag.warn( |
There was a problem hiding this comment.
I'd find these diag warnings in the value sanitizer unexpected. I think it should be still valid for trace-sdk users to set arbitrary valid attribute values as http.url. http.url is part of the semantic conventions, not part of the SDK specifications.
@open-telemetry/javascript-approvers WDYT?
There was a problem hiding this comment.
according to #2000, its part of the specification. i'm open to all of your guidance on how to approach this
There was a problem hiding this comment.
Yes, it's part of the semantic convention specification, not the trace sdk specification. So IMHO the constraints should only be applied to instrumentations that collect those attributes.
daniel-white
force-pushed
the
chore/sanitize-url
branch
from
6b9e85e
to
daec69f
Compare
daniel-white
force-pushed
the
chore/sanitize-url
branch
from
daec69f
to
de9e811
Compare
|
This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
|
This PR was closed because it has been stale for 14 days with no activity. |
Which problem is this PR solving?
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
I added a map of semantic attributes to a value sanitizing function. also made this work for one off values.
Errata: I'm not sure if you want to classify this as a breaking change or not. Also, I'm not sure why my tests are failing. Any vscode+mocha tips appreciated!
Fixes #2000
Short description of the changes
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Checklist: