Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http.url MUST NOT contain credentials #1502

Merged
merged 7 commits into from
Mar 5, 2021
Merged

http.url MUST NOT contain credentials #1502

merged 7 commits into from
Mar 5, 2021

Conversation

pellared
Copy link
Member

@pellared pellared commented Mar 4, 2021

Why

Example request's URL: https://username:password@example.com:8080/path/to/file.aspx?query=1#fragment

What is the expected attribute's value in such a case? For sure we should not pass the password. The username should not there as well per #1502 (comment).

Why do I think it is important? Because I saw this in OTel .NET SDK: https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Instrumentation.Http/Implementation/HttpHandlerDiagnosticListener.cs#L115

Reference:

What

Mandate to get rid of username (thanks to @yurishkuro) and password if it is present in the URL.

@pellared pellared requested review from a team March 4, 2021 21:05
Copy link
Contributor

@jsuereth jsuereth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you mind updating changelog with this change?

@pellared
Copy link
Member Author

pellared commented Mar 4, 2021

Would you mind updating changelog with this change?

Done 1bcdc0b

@pjanotti
Copy link

pjanotti commented Mar 4, 2021

cc @cijothomas for the OTel.NET SDK mention

@@ -16,6 +16,9 @@ groups:
brief: >
Full HTTP request URL in the form `scheme://host[:port]/path?query[#fragment]`.
Usually the fragment is not transmitted over HTTP, but if it is known, it should be included nevertheless.
note: >
`http.url` MUST NOT contain the password if it is passed via URL in form of `https://username:password@www.example.com/`.
In such case the attribute's value can be set as `https://username:@www.example.com/` or `https://www.example.com/`.
Copy link
Member

@yurishkuro yurishkuro Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest going with a more strict rule and require stripping everything before @. If people want username they can always add it separately, but logging username by default could be a huge privacy concern given recent EU regulations like ePD.

Copy link
Member Author

@pellared pellared Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, GDPR etc. It would be compatible with https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/span-general.md#general-identity-attributes:

Given the sensitive nature of this information, SDKs and exporters SHOULD drop these attributes by default and then provide a configuration parameter to turn on retention for use cases where the information is required and would not violate any policies or regulations.

Copy link
Member Author

@pellared pellared Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yurishkuro
Addressed.
Could you please double-check?

@pellared pellared changed the title http.url MUST NOT contain password http.url MUST NOT contain any credentials Mar 4, 2021
@pellared pellared changed the title http.url MUST NOT contain any credentials http.url MUST NOT contain credentials Mar 4, 2021
@pellared pellared requested a review from yurishkuro March 4, 2021 22:42
@mrveera
Copy link

mrveera commented Mar 9, 2021

I understand because of sensitivity of info we have to clear everything but for enduser it won't be evident that URL was containing username and password when it got here. Instead if we have redacted version like https://***:***@www.example.com/ it will be more evident in expressing URL contains username and password but they are redacted for security reasons.

If we don't go with redacted version it might cause ambiguity for someone checking if url contains creds or not because in span with creds and without creds will be same.

options:

  1. Use redacted version like https://***:***@www.example.com/
  2. An attribute to say that credential info is removed (As @matej-g suggested here)

@pellared
Copy link
Member Author

pellared commented Mar 9, 2021

@veera83372

Regarding Option 1: I suggest NOT to redact it to https://***:***@www.example.com/. Why?

  1. If a malicious user accesses this data, he would gain knowledge that could help him in making deeper attacks. Removing it completely reduces the attack surface.
  2. Doing *** is anonymization which AFAIK according to GDPR is a kind of personal data processing. Not even touching this info makes sure that auth data won't be processed.
  3. Probably (I am not sure here) if you sniff the traffic the URL would be https://www.example.com/ and the auth data would be passed via HTTP Headers.

Option 2 is better. However, I think such an attribute would HAVE TO be optional (disabled by default) in order to make sure that the default configuration is as secure as possible.

@Oberon00
Copy link
Member

Oberon00 commented Mar 9, 2021

  1. Doing *** is anonymization which AFAIK according to GDPR is a kind of personal data processing. Not even touching this info makes sure that auth data won't be processed.

At the point where it reaches your instrumentation/exporter/... code it has already been processed (e.g. the HTTP request containing it has been parsed). IANAL, but I would be extremely surprised if the additional "processing" of doing anonymization would be a GDPR problem in itself (if the processing to get it to the point where you can anonymize it wasn't already).

@mrveera
Copy link

mrveera commented Mar 9, 2021

I am fine option 2 as well but just want to clarify *** i didn't mean process any credentials data. We have to generate URL string without creds anyway, What i am trying to say is just add ***:***@ before actual URL if creds are present. Don't need to do processing on data.

2. Doing `***` is anonymization which AFAIK according to GDPR is a kind of personal data processing. Not even touching this info makes sure that auth data won't be processed.

@pellared
Copy link
Member Author

pellared commented Mar 9, 2021

@veera83372 I understand. My biggest concern is:

If a malicious user accesses this data, he would gain knowledge that could help him in making deeper attacks. Removing it completely reduces the attack surface.

@Oberon00
You are correct. I state say it differently.
IANAL, but I guess that from a GDPR perspective, not persisting the data (or not passing data further) is better (safer) than anonymization.

@Oberon00
Copy link
Member

Oberon00 commented Mar 9, 2021

I guess that from a GDPR perspective, not persisting the data (or not passing data further) is better (safer) than anonymization.

👍 I agree. But my understanding of the *** suggestion was to actually replace the user and password with the string ***:***, discarding the original data, leaving only the info that user+password was there at all but not what it was.

@pellared
Copy link
Member Author

pellared commented Mar 9, 2021

@Oberon00 @veera83372

But my understanding of the *** suggestion was to actually replace the user and password with the string :, discarding the original data, leaving only the info that user+password was there at all but not what it was.

This is what anonymization is. It leaves traces that there was "something"😉 Malicious user could dig deeper to try to get this info from other sources. Defence in depth.

@yurishkuro Do you think what I write here makes sense?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.