fix(mongo): rewrite Buffer as ? during serialization

Author: bcoe

packages/node/src/integrations/tracing/mongo.ts

@@ -11,12 +11,59 @@ export const instrumentMongo = generateInstrumentOnce(
   INTEGRATION_NAME,
   () =>
     new MongoDBInstrumentation({
+      dbStatementSerializer: _defaultDbStatementSerializer,
       responseHook(span) {
         addOriginToSpan(span, 'auto.db.otel.mongo');
       },
     }),
 );
 
+/**
+ * Replaces values in document with '?', hiding PII and helping grouping.
+ */
+export function _defaultDbStatementSerializer(commandObj: Record<string, unknown>): string {
+  const resultObj = _scrubStatement(commandObj);
+  return JSON.stringify(resultObj);
+}
+
+function _scrubStatement(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(element => _scrubStatement(element));
+  }
+
+  if (isCommandObj(value)) {
+    const initial: Record<string, unknown> = {};
+    return Object.entries(value).map(([key, element]) => [
+      key,
+      _scrubStatement(element),
+    ]).reduce((prev, current) => {
+      if (isCommandEntry(current)) {
+        prev[current[0]] = current[1];
+      }
+      return prev;
+    }, initial);
+  }
+
+  // A value like string or number, possible contains PII, scrub it
+  return '?';
+}
+
+function isCommandObj(value: Record<string, unknown> | unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null && !isBuffer(value);
+}
+
+function isBuffer(value: unknown): boolean {
+  let isBuffer = false;
+  if (typeof Buffer !== 'undefined') {
+    isBuffer = Buffer.isBuffer(value);
+  }
+  return isBuffer;
+}
+
+function isCommandEntry(value:  [string, unknown]  | unknown): value is [string, unknown] {
+  return Array.isArray(value);
+}
+
 const _mongoIntegration = (() => {
   return {
     name: INTEGRATION_NAME,

packages/node/test/integrations/tracing/mongo.test.ts

@@ -0,0 +1,68 @@
+import { MongoDBInstrumentation } from '@opentelemetry/instrumentation-mongodb';
+
+import { mongoIntegration, instrumentMongo, _defaultDbStatementSerializer } from '../../../src/integrations/tracing/mongo';
+import { INSTRUMENTED } from '../../../src/otel/instrument';
+
+jest.mock('@opentelemetry/instrumentation-mongodb');
+
+describe('Mongo', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    delete INSTRUMENTED.Mongo;
+
+    (MongoDBInstrumentation as unknown as jest.SpyInstance).mockImplementation(() => {
+      return {
+        setTracerProvider: () => undefined,
+        setMeterProvider: () => undefined,
+        getConfig: () => ({}),
+        setConfig: () => ({}),
+        enable: () => undefined,
+      };
+    });
+  });
+
+  it('defaults are correct for instrumentMongo', () => {
+    instrumentMongo();
+
+    expect(MongoDBInstrumentation).toHaveBeenCalledTimes(1);
+    expect(MongoDBInstrumentation).toHaveBeenCalledWith({
+      dbStatementSerializer: expect.any(Function),
+      responseHook: expect.any(Function),
+    });
+  });
+
+  it('defaults are correct for mongoIntegration', () => {
+    mongoIntegration().setupOnce!();
+
+    expect(MongoDBInstrumentation).toHaveBeenCalledTimes(1);
+    expect(MongoDBInstrumentation).toHaveBeenCalledWith({
+      responseHook: expect.any(Function),
+      dbStatementSerializer: expect.any(Function)
+    });
+  });
+
+  describe('_defaultDbStatementSerializer', () => {
+    it('rewrites strings as ?', () => {
+      const serialized = _defaultDbStatementSerializer({
+        find: 'foo'
+      });
+      expect(JSON.parse(serialized).find).toBe('?');
+    });
+
+    it('rewrites nested strings as ?', () => {
+      const serialized = _defaultDbStatementSerializer({
+        find: {
+          inner: 'foo'
+        }
+      });
+      expect(JSON.parse(serialized).find.inner).toBe('?');
+    });
+
+    it('rewrites Buffer as ?', () => {
+      const serialized = _defaultDbStatementSerializer({
+        find: Buffer.from('foo', 'utf8')
+      });
+      expect(JSON.parse(serialized).find).toBe('?');
+    });
+  });
+});