Skip to content

Commit

Permalink
Define sanitization for db.query.text (#1100)
Browse files Browse the repository at this point in the history
Co-authored-by: Trask Stalnaker <[email protected]>
Co-authored-by: Liudmila Molkova <[email protected]>
  • Loading branch information
3 people authored Jun 24, 2024
1 parent ab03b68 commit eeed399
Show file tree
Hide file tree
Showing 10 changed files with 67 additions and 16 deletions.
22 changes: 22 additions & 0 deletions .chloggen/db_sanitization.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Use this changelog template to create an entry for release notes.
#
# If your change doesn't affect end users you should instead start
# your pull request title with [chore] or use the "Skip Changelog" label.

# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
change_type: enhancement

# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
component: db

# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
note: Specify sanitization for `db.query.text`.

# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
# The values here must be integers.
issues: [717]

# (Optional) One or more lines of additional information to render under the primary note.
# These lines will be padded with 2 spaces and then inserted directly into the document.
# Use pipe (|) for multiline entries.
subtext:
4 changes: 3 additions & 1 deletion docs/attributes-registry/db.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,9 @@ For batch operations, if the individual operations are known to have the same op
**[5]:** Query parameters should only be captured when `db.query.text` is parameterized with placeholders.
If a parameter has no name and instead is referenced only by index, then `<key>` SHOULD be the 0-based index.

**[6]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
**[6]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk.

**[7]:** The actual DBMS may differ from the one identified by the client. For example, when using PostgreSQL client libraries to connect to a CockroachDB, the `db.system` is set to `postgresql` based on the instrumentation's best knowledge.

Expand Down
6 changes: 4 additions & 2 deletions docs/database/cassandra.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,11 @@ For batch operations, if the individual operations are known to have the same op

**[8]:** If using a port other than the default port for this DBMS and if `server.address` is set.

**[9]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
**[9]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk.

**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information.
**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).

**[11]:** If a database operation involved multiple network calls (for example retries), the address of the last contacted node SHOULD be used.

Expand Down
6 changes: 4 additions & 2 deletions docs/database/cosmosdb.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,11 @@ For batch operations, if the individual operations are known to have the same op

**[6]:** If using a port other than the default port for this DBMS and if `server.address` is set.

**[7]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
**[7]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk.

**[8]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information.
**[8]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).

**[9]:** When observed from the client side, and when communicating through an intermediary, `server.address` SHOULD represent the server address behind any intermediaries, for example proxies, if it's available.

Expand Down
18 changes: 16 additions & 2 deletions docs/database/database-spans.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ linkTitle: Client Calls
- [Name](#name)
- [Common attributes](#common-attributes)
- [Notes and well-known identifiers for `db.system`](#notes-and-well-known-identifiers-for-dbsystem)
- [Sanitization of `db.query.text`](#sanitization-of-dbquerytext)
- [Semantic Conventions for specific database technologies](#semantic-conventions-for-specific-database-technologies)

<!-- tocstop -->
Expand Down Expand Up @@ -125,9 +126,11 @@ For batch operations, if the individual operations are known to have the same op

**[9]:** If using a port other than the default port for this DBMS and if `server.address` is set.

**[10]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
**[10]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk.

**[11]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information.
**[11]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).

**[12]:** Semantic conventions for individual database systems SHOULD document whether `network.peer.*` attributes are applicable. Network peer address and port are useful when the application interacts with individual database nodes directly.
If a database operation involved multiple network calls (for example retries), the address of the last contacted node SHOULD be used.
Expand Down Expand Up @@ -225,6 +228,17 @@ Back ends could, for example, use the provided identifier to determine the appro

When additional attributes are added that only apply to a specific DBMS, its identifier SHOULD be used as a namespace in the attribute key as for the attributes in the sections below.

## Sanitization of `db.query.text`

The `db.query.text` SHOULD be collected by default only if there is sanitization that excludes sensitive information.
Sanitization SHOULD replace all literals with a placeholder value.
Such literals include, but are not limited to, String, Numeric, Date and Time,
Boolean, Interval, Binary, and Hexadecimal literals.
The placeholder value SHOULD be `?`, unless it already has a defined meaning in the given database system,
in which case the instrumentation MAY choose a different placeholder.

Placeholders in a parameterized query SHOULD not be sanitized. E.g. `where id = $1` can be captured as is.

## Semantic Conventions for specific database technologies

More specific Semantic Conventions are defined for the following database technologies:
Expand Down
4 changes: 3 additions & 1 deletion docs/database/elasticsearch.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,9 @@ Tracing instrumentations that do so, MUST also set `http.request.method_original

**[10]:** When communicating with an Elastic Cloud deployment, this should be collected from the "X-Found-Handling-Cluster" HTTP response header.

**[11]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
**[11]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk.

**[12]:** Should be collected by default for search-type queries and only if there is sanitization that excludes sensitive information.

Expand Down
6 changes: 4 additions & 2 deletions docs/database/mssql.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,11 @@ In the case of `EXEC`, this SHOULD be the stored procedure name that is being ex

**[8]:** If using a port other than the default port for this DBMS and if `server.address` is set.

**[9]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
**[9]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk.

**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information.
**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).

**[11]:** When observed from the client side, and when communicating through an intermediary, `server.address` SHOULD represent the server address behind any intermediaries, for example proxies, if it's available.

Expand Down
6 changes: 4 additions & 2 deletions docs/database/sql.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,11 @@ In the case of `EXEC`, this SHOULD be the stored procedure name that is being ex

**[8]:** If using a port other than the default port for this DBMS and if `server.address` is set.

**[9]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
**[9]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable.
Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk.

**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information.
**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).

**[11]:** When observed from the client side, and when communicating through an intermediary, `server.address` SHOULD represent the server address behind any intermediaries, for example proxies, if it's available.

Expand Down
6 changes: 6 additions & 0 deletions model/registry/db.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,15 @@ groups:
brief: >
The database query being executed.
note: >
For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
For batch operations, if the individual operations are known to have the same query text
then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated
with separator `; ` or some other database system specific separator if more applicable.
Even though parameterized query text can potentially have sensitive data, by using a parameterized query
the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit
to observability of capturing the static part of the query text by default outweighs the risk.
examples: ['SELECT * FROM wuser_table where username = ?', 'SET mykey "WuValue"']
- id: query.parameter
type: template[string]
Expand Down
5 changes: 1 addition & 4 deletions model/trace/database.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,6 @@ groups:
Parameterized query text SHOULD be collected by default
(the query parameter values themselves are opt-in,
see [`db.query.parameter.<key>`](../../docs/attributes-registry/db.md)).
note:
Even though parameterized query text can potentially have sensitive data, by using a parameterized query
the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit
to observability of capturing the static part of the query text by default outweighs the risk.
- ref: db.query.parameter
requirement_level: opt_in

Expand All @@ -29,6 +25,7 @@ groups:
requirement_level:
recommended: >
SHOULD be collected by default only if there is sanitization that excludes sensitive information.
See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext).
- ref: db.query.parameter
requirement_level: opt_in
- ref: db.collection.name
Expand Down

0 comments on commit eeed399

Please sign in to comment.