feat: finer granularity to LUMIGO_SECRET_MASKING_REGEX

lumigo-io · Apr 10, 2023 · 0b61310 · 0b61310
1 parent 90c4b02
commit 0b61310
Show file tree

Hide file tree

Showing 21 changed files with 1,207 additions and 265 deletions.
diff --git a/README.md b/README.md
@@ -101,7 +101,13 @@ Specifically supported are:
 * `LUMIGO_DEBUG_SPANDUMP=<path>`: Log all spans collected to the `<path>` file; this is an option intended only for debugging purposes and should *not* be used in production.
 This setting is independent from `LUMIGO_DEBUG`, that is, `LUMIGO_DEBUG` does not need to additionally be set for `LUMIGO_DEBUG_SPANDUMP` to work.
 * `LUMIGO_SWITCH_OFF=TRUE`: This option disables the Lumigo OpenTelemetry Distro entirely; no instrumentation will be injected, no tracing data will be collected.
-* `LUMIGO_SECRET_MASKING_REGEX='["regex1", "regex2"]'`: Prevents Lumigo from sending keys that match the supplied regular expressions. All regular expressions are case-insensitive. By default, Lumigo applies the following regular expressions: `[".*pass.*", ".*key.*", ".*secret.*", ".*credential.*", ".*passphrase.*"]`.
+* `LUMIGO_SECRET_MASKING_REGEX='["regex1", "regex2"]'`: Prevents Lumigo from sending keys that match the supplied regular expressions in process environment data, HTTP headers, payloads and queries. All regular expressions are case-insensitive. The "magic" value `all` will redact everything. By default, Lumigo applies the following regular expressions: `[".*pass.*", ".*key.*", ".*secret.*", ".*credential.*", ".*passphrase.*"]`. More fine-grained settings can be applied via the following environment variables, which will override `LUMIGO_SECRET_MASKING_REGEX` for a specific type of data:
+  * `LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES` applies secret redaction to HTTP request bodies
+  * `LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS` applies secret redaction to HTTP request headers
+  * `LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS` applies secret redaction to HTTP query parameters
+  * `LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES` applies secret redaction to HTTP response bodies
+  * `LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS` applies secret redaction to HTTP response bodies
+  * `LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT` applies secret redaction to process environment variables (that is, the content of `process.env`)
 * `LUMIGO_REPORT_DEPENDENCIES=false`: This option disables the built-in dependency reporting to Lumigo SaaS. For more information, refer to the [Automated dependency reporting](#automated-dependency-reporting) section.
 
 ### Execution Tags
@@ -298,7 +304,7 @@ If the [Task Metadata endpoint v4](https://docs.aws.amazon.com/AmazonECS/latest/
   * `process.runtime.version`
 
 
-* A non-standard `process.environ` resource attribute, containing a stringified representation of the process environment, with environment variables scrubbed based on the [`LUMIGO_SECRET_MASKING_REGEX`](#lumigo-specific-configurations) configuration.
+* A non-standard `process.environ` resource attribute, containing a stringified representation of the process environment, with environment variables scrubbed based on the [`LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT` and `LUMIGO_SECRET_MASKING_REGEX`](#lumigo-specific-configurations) environment variables.
 
 
 ### SDK configuration

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -23,7 +23,7 @@
   "repository": "git@github.com:lumigo-io/opentelemetry-js-distro.git",
   "author": "Lumigo",
   "dependencies": {
-    "@lumigo/node-core": "^1.13.0",
+    "@lumigo/node-core": "^1.13.1",
     "@opentelemetry/api": "1.4.0",
     "@opentelemetry/core": "1.9.0",
     "@opentelemetry/exporter-trace-otlp-http": "0.35.1",

diff --git a/src/instrumentations/express/express.ts b/src/instrumentations/express/express.ts
@@ -1,20 +1,41 @@
 import type express from 'express';
 
+import { CommonUtils } from '@lumigo/node-core';
+import { ScrubContext } from '@lumigo/node-core/lib/common';
+
 import { Span } from '@opentelemetry/api';
 
-import { safeExecute } from '../../utils';
+import { safeExecute, SPAN_ATTRIBUTE_LENGTH_LIMIT } from '../../utils';
 import { InstrumentationIfc } from '../hooksIfc';
-import { CommonUtils } from '@lumigo/node-core';
 
 type ExpressRequestType = { req: express.Request; res: express.Response };
 
 export const ExpressHooks: InstrumentationIfc<ExpressRequestType, any> = {
   requestHook(span: Span, { req, res }: ExpressRequestType): void {
     const oldResEnd = res.end;
     const oldResSend = res.send;
-    if (req.query) span.setAttribute('http.request.query', CommonUtils.payloadStringify(req.query));
+    if (req.query)
+      span.setAttribute(
+        'http.request.query',
+        CommonUtils.payloadStringify(
+          req.query,
+          SPAN_ATTRIBUTE_LENGTH_LIMIT,
+          null,
+          false,
+          ScrubContext.HTTP_REQUEST_QUERY
+        )
+      );
     if (req.headers)
-      span.setAttribute('http.request.headers', CommonUtils.payloadStringify(req.headers));
+      span.setAttribute(
+        'http.request.headers',
+        CommonUtils.payloadStringify(
+          req.headers,
+          SPAN_ATTRIBUTE_LENGTH_LIMIT,
+          null,
+          false,
+          ScrubContext.HTTP_REQUEST_HEADERS
+        )
+      );
     let response;
     res.send = function (data: any) {
       response = data;
@@ -29,12 +50,38 @@ export const ExpressHooks: InstrumentationIfc<ExpressRequestType, any> = {
         if (res.getHeaders())
           span.setAttribute(
             'http.response.headers',
-            CommonUtils.payloadStringify(res.getHeaders())
+            CommonUtils.payloadStringify(
+              res.getHeaders(),
+              SPAN_ATTRIBUTE_LENGTH_LIMIT,
+              null,
+              false,
+              ScrubContext.HTTP_RESPONSE_HEADERS
+            )
           ); // TODO This is not compliant with the HTTP semantic conventions
-        if (response)
-          span.setAttribute('http.response.body', CommonUtils.payloadStringify(response));
-        if (req.body)
-          span.setAttribute('http.request.body', CommonUtils.payloadStringify(req.body));
+        if (response) {
+          span.setAttribute(
+            'http.response.body',
+            CommonUtils.payloadStringify(
+              response,
+              SPAN_ATTRIBUTE_LENGTH_LIMIT,
+              null,
+              false,
+              ScrubContext.HTTP_RESPONSE_BODY
+            )
+          );
+        }
+        if (req.body) {
+          span.setAttribute(
+            'http.request.body',
+            CommonUtils.payloadStringify(
+              req.body,
+              SPAN_ATTRIBUTE_LENGTH_LIMIT,
+              null,
+              false,
+              ScrubContext.HTTP_REQUEST_BODY
+            )
+          );
+        }
         res.end = oldResEnd;
         return origRes;
       })();

diff --git a/src/instrumentations/express/tested_versions/express b/src/instrumentations/express/tested_versions/express
@@ -1,51 +1 @@
-4.9.0
-4.9.1
-4.9.2
-4.9.3
-4.9.4
-4.9.5
-4.9.6
-4.9.7
-4.9.8
-4.10.0
-4.10.1
-4.10.2
-4.10.3
-4.10.4
-4.10.5
-4.10.6
-4.10.7
-4.10.8
-4.11.0
-4.11.1
-4.11.2
-4.12.0
-4.12.1
-4.12.2
-4.12.3
-4.12.4
-4.13.0
-4.13.1
-4.13.2
-4.13.3
-4.13.4
-4.14.0
-4.14.1
-4.15.0
-4.15.1
-4.15.2
-4.15.3
-4.15.4
-4.15.5
-4.16.0
-4.16.1
-4.16.2
-4.16.3
-4.16.4
-4.17.0
-4.17.1
-4.17.2
-4.17.3
-4.18.0
-4.18.1
 4.18.2
-Original file line number
+Diff line change
@@ -1,51 +1 @@
-.9.0
-.9.1
-.9.2
-.9.3
-.9.4
-.9.5
-.9.6
-.9.7
-.9.8
-.10.0
-.10.1
-.10.2
-.10.3
-.10.4
-.10.5
-.10.6
-.10.7
-.10.8
-.11.0
-.11.1
-.11.2
-.12.0
-.12.1
-.12.2
-.12.3
-.12.4
-.13.0
-.13.1
-.13.2
-.13.3
-.13.4
-.14.0
-.14.1
-.15.0
-.15.1
-.15.2
-.15.3
-.15.4
-.15.5
-.16.0
-.16.1
-.16.2
-.16.3
-.16.4
-.17.0
-.17.1
-.17.2
-.17.3
-.18.0
-.18.1
 .18.2