Impact
OpenTelemetry.Instrumentation.Http
writes the url.full
attribute/tag on spans (Activity
) when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore
writes the url.query
attribute/tag on spans (Activity
) when tracing is enabled for incoming http requests.
These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the 1.8.1
the values written by OpenTelemetry.Instrumentation.Http
& OpenTelemetry.Instrumentation.AspNetCore
will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.
Note: Older versions of OpenTelemetry.Instrumentation.Http
& OpenTelemetry.Instrumentation.AspNetCore
may use different tag names but have the same vulnerability.
Resolution
The 1.8.1
versions of OpenTelemetry.Instrumentation.Http
& OpenTelemetry.Instrumentation.AspNetCore
will now redact by default all values detected on transmitted or received query strings.
Example transmitted or received query sting:
?key1=value1&key2=value2
Example of redacted value written on telemetry:
?key1=Redacted&key2=Redacted
Impact
OpenTelemetry.Instrumentation.Http
writes theurl.full
attribute/tag on spans (Activity
) when tracing is enabled for outgoing http requests andOpenTelemetry.Instrumentation.AspNetCore
writes theurl.query
attribute/tag on spans (Activity
) when tracing is enabled for incoming http requests.These attributes are defined by the Semantic Conventions for HTTP Spans.
Up until the
1.8.1
the values written byOpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
will pass-through the raw query string as was sent or received (respectively). This may lead to sensitive information (e.g. EUII - End User Identifiable Information, credentials, etc.) being leaked into telemetry backends (depending on the application(s) being instrumented) which could cause privacy and/or security incidents.Note: Older versions of
OpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
may use different tag names but have the same vulnerability.Resolution
The
1.8.1
versions ofOpenTelemetry.Instrumentation.Http
&OpenTelemetry.Instrumentation.AspNetCore
will now redact by default all values detected on transmitted or received query strings.Example transmitted or received query sting:
?key1=value1&key2=value2
Example of redacted value written on telemetry:
?key1=Redacted&key2=Redacted