Skip to content

Commit

Permalink
Add WithRedactedHeaders and WithoutHeaders options to NewClientTrace
Browse files Browse the repository at this point in the history
On testing we learned that sensitive information was being stored
in the traces.  To prevent the security leak several security or
sensitive headers will now be redacted. These are the headers
redacted by default:
    Authorization
    WWW-Authenticate
    Proxy-Authenticate
    Proxy-Authorization
    Cookie
    Set-Cookie

Users can add more headers to redact with WithRedactedHeaders. To
disable adding headers to the span entirely users can use WithoutHeaders.
  • Loading branch information
coryb committed Jul 12, 2021
1 parent ce76e05 commit 5801e3b
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 8 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm

### Changed

- Added `WithoutSubSpans` option to `NewClientTrace` in the `instrumentation/net/http/httptrace/otelhttptrace` package (#879)
- Added `WithoutSubSpans`, `WithRedactedHeaders`, and `WithoutHeaders` options to `NewClientTrace` in the `instrumentation/net/http/httptrace/otelhttptrace` package (#879)

## [0.21.0] - 2021-06-18

Expand Down
58 changes: 52 additions & 6 deletions instrumentation/net/http/httptrace/otelhttptrace/clienttrace.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"net/textproto"
"strings"
"sync"
"unicode"

"go.opentelemetry.io/contrib"
"go.opentelemetry.io/otel"
Expand Down Expand Up @@ -73,22 +74,53 @@ func WithoutSubSpans() ClientTraceOption {
}
}

// WithRedactedHeaders will "x" out header values for the header names
// provided. These are in addition to the sensitive headers already
// redacted by default: Authorization, WWW-Authenticate, Proxy-Authenticate
// Proxy-Authorization, Cookie, Set-Cookie
func WithRedactedHeaders(headers ...string) ClientTraceOption {
return func(ct *clientTracer) {
for _, header := range headers {
ct.redactedHeaders[strings.ToLower(header)] = struct{}{}
}
}
}

// WithoutHeaders will disable adding span annotations for the http headers
// and values.
func WithoutHeaders() ClientTraceOption {
return func(ct *clientTracer) {
ct.addHeaders = false
}
}

type clientTracer struct {
context.Context

tr trace.Tracer

activeHooks map[string]context.Context
root trace.Span
mtx sync.Mutex
useSpans bool
activeHooks map[string]context.Context
root trace.Span
mtx sync.Mutex
redactedHeaders map[string]struct{}
addHeaders bool
useSpans bool
}

func NewClientTrace(ctx context.Context, opts ...ClientTraceOption) *httptrace.ClientTrace {
ct := &clientTracer{
Context: ctx,
activeHooks: make(map[string]context.Context),
useSpans: true,
redactedHeaders: map[string]struct{}{
"authorization": {},
"www-authenticate": {},
"proxy-authenticate": {},
"proxy-authorization": {},
"cookie": {},
"set-cookie": {},
},
addHeaders: true,
useSpans: true,
}
for _, opt := range opts {
opt(ct)
Expand Down Expand Up @@ -259,7 +291,21 @@ func (ct *clientTracer) wroteHeaderField(k string, v []string) {
if ct.useSpans && ct.span("http.headers") == nil {
ct.start("http.headers", "http.headers")
}
ct.root.SetAttributes(attribute.String("http."+strings.ToLower(k), sliceToString(v)))
if !ct.addHeaders {
return
}
k = strings.ToLower(k)
value := sliceToString(v)
if _, ok := ct.redactedHeaders[k]; ok {
// redact all non-space runes to 'x'
value = strings.Map(func(r rune) rune {
if unicode.IsSpace(r) {
return r
}
return 'x'
}, value)
}
ct.root.SetAttributes(attribute.String("http."+k, value))
}

func (ct *clientTracer) wroteHeaders() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,7 @@ func TestWithoutSubSpans(t *testing.T) {
)
req, err = http.NewRequestWithContext(ctx, http.MethodGet, ts.URL, nil)
req.Header.Set("User-Agent", "oteltest/1.1")
req.Header.Set("Authorization", "Bearer token123")
require.NoError(t, err)
resp, err = ts.Client().Do(req)
require.NoError(t, err)
Expand All @@ -316,7 +317,7 @@ func TestWithoutSubSpans(t *testing.T) {
assert.Equal(t, expectedEventNames, gotEventNames)

gotAttributes := recSpan.Attributes()
require.Len(t, gotAttributes, 8)
require.Len(t, gotAttributes, 9)
assert.Equal(t,
attribute.StringValue("gzip"),
gotAttributes[attribute.Key("http.accept-encoding")],
Expand All @@ -325,6 +326,11 @@ func TestWithoutSubSpans(t *testing.T) {
attribute.StringValue("oteltest/1.1"),
gotAttributes[attribute.Key("http.user-agent")],
)
// verify redacted auth headers
assert.Equal(t,
attribute.StringValue("xxxxxx xxxxxxxx"),
gotAttributes[attribute.Key("http.authorization")],
)
// value is dynamic, just verify we have the attribute
assert.Contains(t, gotAttributes, attribute.Key("http.conn.idletime"))
assert.Equal(t,
Expand Down

0 comments on commit 5801e3b

Please sign in to comment.