Mongo instrumentation's 'db.statement' tag could be leaking sensitive data #3388
Comments
|
You are absolutely right. Do you want to open a PR? |
|
I could, you mean to disable the feature by default? I'm not really sure how to implement the obfuscation but I could try also. |
|
I think we should first disable the feature. Implementing obfuscation is going to take longer. |
dubonzi
added a commit
to dubonzi/opentelemetry-go-contrib
that referenced
this issue
Mar 2, 2023
As of now, the 'db.statement' tag is not obfuscated, which can lead to sensitive information being leaked through the tag. See open-telemetry#3388
|
Done. |
MrAlias
added a commit
that referenced
this issue
Apr 26, 2023
…3519) * Disable adding the mongo 'db.statement' tag by default As of now, the 'db.statement' tag is not obfuscated, which can lead to sensitive information being leaked through the tag. See #3388 * Update CHANGELOG.md * Update CHANGELOG.md * Update mongo.go * fix reverted changelog change in conflict resolution * Move changelog entry to unreleased --------- Co-authored-by: Damien Mathieu <42@dmathieu.com> Co-authored-by: Robert Pająk <pellared@hotmail.com> Co-authored-by: Tyler Yahn <MrAlias@users.noreply.github.com> Co-authored-by: Tyler Yahn <codingalias@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Mongo instrumentation adds a 'db.statement' tag to spans containing the raw query which might leak sensitive information. I see a
TODOin the sanitization function that would be doing the obfuscation of these values, and since it's not yet done, maybe this feature should be disabled by default to avoid leaks by users that are unaware of this.The text was updated successfully, but these errors were encountered: