Skip to content

Handle sensitive query params in HTTP server instrumentation#16097

Merged
trask merged 8 commits intoopen-telemetry:mainfrom
trask:sensitive-query-params
Mar 9, 2026
Merged

Handle sensitive query params in HTTP server instrumentation#16097
trask merged 8 commits intoopen-telemetry:mainfrom
trask:sensitive-query-params

Conversation

@trask
Copy link
Copy Markdown
Member

@trask trask commented Feb 3, 2026

No description provided.

@trask trask force-pushed the sensitive-query-params branch 4 times, most recently from 3ee8792 to 64d9758 Compare February 3, 2026 22:23
@trask trask marked this pull request as ready for review February 4, 2026 22:45
@trask trask requested a review from a team as a code owner February 4, 2026 22:45
@trask trask marked this pull request as draft February 4, 2026 22:45
@trask trask force-pushed the sensitive-query-params branch 8 times, most recently from a96c83c to 4160a5a Compare February 5, 2026 03:49
@trask trask marked this pull request as ready for review February 5, 2026 15:55
trask
trask commented Feb 5, 2026
View reviewed changes
Comment thread ...ava/io/opentelemetry/instrumentation/api/semconv/http/HttpServerAttributesExtractorTest.java
Comment on lines +557 to +571
"paramA=valA&paramB=valB, paramA=valA&paramB=valB",
"AWSAccessKeyId=AKIAIOSFODNN7, AWSAccessKeyId=REDACTED",
"Signature=39Up9jzHkxhuIhFE9594DJxe7w6cIRCg0V6ICGS0%3A377, Signature=REDACTED",
"sig=39Up9jzHkxhuIhFE9594DJxe7w6cIRCg0V6ICGS0, sig=REDACTED",
"X-Goog-Signature=39Up9jzHkxhuIhFE9594DJxe7w6cIRCg0V6ICGS0, X-Goog-Signature=REDACTED",
"paramA=valA&AWSAccessKeyId=AKIAIOSFODNN7&paramB=valB, paramA=valA&AWSAccessKeyId=REDACTED&paramB=valB",
"AWSAccessKeyId=AKIAIOSFODNN7&paramA=valA, AWSAccessKeyId=REDACTED&paramA=valA",
"paramA=valA&AWSAccessKeyId=AKIAIOSFODNN7, paramA=valA&AWSAccessKeyId=REDACTED",
"AWSAccessKeyId=AKIAIOSFODNN7&AWSAccessKeyId=ZGIAIOSFODNN7, AWSAccessKeyId=REDACTED&AWSAccessKeyId=REDACTED",
"AWSAccessKeyId=AKIAIOSFODNN7#ref, AWSAccessKeyId=REDACTED#ref",
"AWSAccessKeyId=AKIAIOSFODNN7&aa&bb, AWSAccessKeyId=REDACTED&aa&bb",
"aa&bb&AWSAccessKeyId=AKIAIOSFODNN7, aa&bb&AWSAccessKeyId=REDACTED",
"AWSAccessKeyId=AKIAIOSFODNN7&&, AWSAccessKeyId=REDACTED&&",
"&&AWSAccessKeyId=AKIAIOSFODNN7, &&AWSAccessKeyId=REDACTED",
"AWSAccessKeyId=AKIAIOSFODNN7&a&b#fragment, AWSAccessKeyId=REDACTED&a&b#fragment"
Copy link
Copy Markdown
Member Author

@trask trask Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

essentially same test cases from HttpClientAttributesExtractorTest

Comment thread ...i/src/main/java/io/opentelemetry/instrumentation/api/semconv/url/UrlAttributesExtractor.java
*
* @since 2.0.0
*/
public final class UrlAttributesExtractor<REQUEST, RESPONSE>
Copy link
Copy Markdown
Member Author

@trask trask Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(note: this class has no usages)

trask
trask commented Feb 6, 2026
View reviewed changes
Comment thread ...c/main/java/io/opentelemetry/instrumentation/api/incubator/config/internal/CommonConfig.java Outdated
Comment on lines +101 to +102
List<String> newConfigValue =
httpConfig.getScalarList("sensitive_query_parameters", String.class);
Copy link
Copy Markdown
Member Author

@trask trask Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's block this PR on open-telemetry/semantic-conventions#3403

Copy link
Copy Markdown
Contributor

@laurit laurit Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it would be better to merge this PR using a temporary name. Could add experimental suffix/prefix or maybe even something like dontuse to indicate that it is subjected to change. This could let us avoid potential conflict resolution.

Copy link
Copy Markdown
Member Author

@trask trask Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: I'm trying to get this supported under the .general node by the next SDK release

Copy link
Copy Markdown
Member Author

@trask trask Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: this will be available in the upcoming SDK release

@trask trask force-pushed the sensitive-query-params branch from eb8f89e to 2795701 Compare February 10, 2026 17:14
@trask trask added this to the v2.26.0 milestone Feb 13, 2026
@trask trask force-pushed the sensitive-query-params branch from 573747b to ddd0d0f Compare February 18, 2026 17:45
@trask trask force-pushed the sensitive-query-params branch from ddd0d0f to 2204bae Compare February 21, 2026 03:30
@trask trask merged commit 3042028 into open-telemetry:main Mar 9, 2026
93 checks passed
@trask trask deleted the sensitive-query-params branch March 9, 2026 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurit laurit laurit approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v2.26.0

Development

Successfully merging this pull request may close these issues.

2 participants

@trask @laurit