-
Notifications
You must be signed in to change notification settings - Fork 764
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitize http.url
attribute
#1961
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1961 +/- ##
==========================================
+ Coverage 83.54% 83.57% +0.03%
==========================================
Files 192 192
Lines 6156 6162 +6
==========================================
+ Hits 5143 5150 +7
+ Misses 1013 1012 -1
|
src/OpenTelemetry.Instrumentation.Http/Implementation/HttpTagHelper.cs
Outdated
Show resolved
Hide resolved
http.url
attributehttp.url
attribute
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
[InlineData("http://localhost/", "http://localhost/", 0, null, "TraceContext")] | ||
[InlineData("http://localhost/", "http://localhost/", 0, null, "TraceContext", true)] | ||
[InlineData("https://localhost/", "https://localhost/", 0, null, "TraceContext")] | ||
[InlineData("https://localhost/", "https://user:pass@localhost/", 0, null, "TraceContext")] // Test URL sanitization |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add test cases to cover all the parts that would make up the new Uri such as scheme, authority, path and query, fragment etc.?
How about adding two unit tests like these which would ensure that Uri.PathAndQuery
(/Home/Index.html) and Uri.Fragment
(#search) are concatenated?
Url: https://user:password@localhost:443/Home/Index.html#search
ExpectedUrl: https://localhost:443/Home/Index.html#search
And one for http
Url: http://user:password@localhost:80/Home/Index.html#search
ExpectedUrl: http://localhost:80/Home/Index.html#search
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a comment.
I noticed that there is a potentially unstable test:
|
[InlineData("https://localhost/", "https://user:pass@localhost/", 0, null, "TraceContext")] // Test URL sanitization | ||
[InlineData("http://localhost:443/", "http://localhost:443/", 0, null, "TraceContext")] // Test http over 443 | ||
[InlineData("https://localhost:80/", "https://localhost:80/", 0, null, "TraceContext")] // Test https over 80 | ||
[InlineData("https://localhost:80/Home/Index.htm?q1=v1&q2=v2#FragmentName", "https://localhost:80/Home/Index.htm?q1=v1&q2=v2#FragmentName", 0, null, "TraceContext")] // Test complex URL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could update this test case to use http
instead of https
to test that we return the right Uri.Scheme
in the URL.
@pellared Could you please also add the logic to sanitize opentelemetry-dotnet/src/OpenTelemetry.Instrumentation.AspNetCore/Implementation/HttpInListener.cs Line 154 in d073906
|
@utpilla I do not see this issue there. See: opentelemetry-dotnet/src/OpenTelemetry.Instrumentation.AspNetCore/Implementation/HttpInListener.cs Lines 293 to 326 in d073906
|
Thanks @pellared for pointing this out. This issue does not exist for ASP.NET Core Instrumentation. |
Fixes #1884.
Changes
Please provide a brief description of the changes here.
For significant contributions please make sure you have completed the following items:
CHANGELOG.md
updated for non-trivial changesConstraints
http.url
value would remain the same. For ASP.NET instrumentation it isuri.ToString()
for HTTP instrumentation it isuri.OriginalString
. We can consider unifying it but rather in separate PR.