From eeed399850993eddd29ede784137c9ea35efeba3 Mon Sep 17 00:00:00 2001 From: Gergely Kalapos Date: Mon, 24 Jun 2024 16:23:59 +0200 Subject: [PATCH] Define sanitization for db.query.text (#1100) Co-authored-by: Trask Stalnaker Co-authored-by: Liudmila Molkova --- .chloggen/db_sanitization.yaml | 22 ++++++++++++++++++++++ docs/attributes-registry/db.md | 4 +++- docs/database/cassandra.md | 6 ++++-- docs/database/cosmosdb.md | 6 ++++-- docs/database/database-spans.md | 18 ++++++++++++++++-- docs/database/elasticsearch.md | 4 +++- docs/database/mssql.md | 6 ++++-- docs/database/sql.md | 6 ++++-- model/registry/db.yaml | 6 ++++++ model/trace/database.yaml | 5 +---- 10 files changed, 67 insertions(+), 16 deletions(-) create mode 100755 .chloggen/db_sanitization.yaml diff --git a/.chloggen/db_sanitization.yaml b/.chloggen/db_sanitization.yaml new file mode 100755 index 0000000000..a6d255ec26 --- /dev/null +++ b/.chloggen/db_sanitization.yaml @@ -0,0 +1,22 @@ +# Use this changelog template to create an entry for release notes. +# +# If your change doesn't affect end users you should instead start +# your pull request title with [chore] or use the "Skip Changelog" label. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: enhancement + +# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) +component: db + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Specify sanitization for `db.query.text`. + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +# The values here must be integers. +issues: [717] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: diff --git a/docs/attributes-registry/db.md b/docs/attributes-registry/db.md index 82bafcf1df..a3a6cb7e41 100644 --- a/docs/attributes-registry/db.md +++ b/docs/attributes-registry/db.md @@ -46,7 +46,9 @@ For batch operations, if the individual operations are known to have the same op **[5]:** Query parameters should only be captured when `db.query.text` is parameterized with placeholders. If a parameter has no name and instead is referenced only by index, then `` SHOULD be the 0-based index. -**[6]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +**[6]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). +For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk. **[7]:** The actual DBMS may differ from the one identified by the client. For example, when using PostgreSQL client libraries to connect to a CockroachDB, the `db.system` is set to `postgresql` based on the instrumentation's best knowledge. diff --git a/docs/database/cassandra.md b/docs/database/cassandra.md index abfb3d4f1f..cf9eae8aca 100644 --- a/docs/database/cassandra.md +++ b/docs/database/cassandra.md @@ -60,9 +60,11 @@ For batch operations, if the individual operations are known to have the same op **[8]:** If using a port other than the default port for this DBMS and if `server.address` is set. -**[9]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +**[9]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). +For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk. -**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. +**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). **[11]:** If a database operation involved multiple network calls (for example retries), the address of the last contacted node SHOULD be used. diff --git a/docs/database/cosmosdb.md b/docs/database/cosmosdb.md index f4313b0bcd..5256694f2c 100644 --- a/docs/database/cosmosdb.md +++ b/docs/database/cosmosdb.md @@ -59,9 +59,11 @@ For batch operations, if the individual operations are known to have the same op **[6]:** If using a port other than the default port for this DBMS and if `server.address` is set. -**[7]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +**[7]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). +For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk. -**[8]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. +**[8]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). **[9]:** When observed from the client side, and when communicating through an intermediary, `server.address` SHOULD represent the server address behind any intermediaries, for example proxies, if it's available. diff --git a/docs/database/database-spans.md b/docs/database/database-spans.md index 33152ab141..23e0742623 100644 --- a/docs/database/database-spans.md +++ b/docs/database/database-spans.md @@ -13,6 +13,7 @@ linkTitle: Client Calls - [Name](#name) - [Common attributes](#common-attributes) - [Notes and well-known identifiers for `db.system`](#notes-and-well-known-identifiers-for-dbsystem) +- [Sanitization of `db.query.text`](#sanitization-of-dbquerytext) - [Semantic Conventions for specific database technologies](#semantic-conventions-for-specific-database-technologies) @@ -125,9 +126,11 @@ For batch operations, if the individual operations are known to have the same op **[9]:** If using a port other than the default port for this DBMS and if `server.address` is set. -**[10]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +**[10]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). +For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk. -**[11]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. +**[11]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). **[12]:** Semantic conventions for individual database systems SHOULD document whether `network.peer.*` attributes are applicable. Network peer address and port are useful when the application interacts with individual database nodes directly. If a database operation involved multiple network calls (for example retries), the address of the last contacted node SHOULD be used. @@ -225,6 +228,17 @@ Back ends could, for example, use the provided identifier to determine the appro When additional attributes are added that only apply to a specific DBMS, its identifier SHOULD be used as a namespace in the attribute key as for the attributes in the sections below. +## Sanitization of `db.query.text` + +The `db.query.text` SHOULD be collected by default only if there is sanitization that excludes sensitive information. +Sanitization SHOULD replace all literals with a placeholder value. +Such literals include, but are not limited to, String, Numeric, Date and Time, +Boolean, Interval, Binary, and Hexadecimal literals. +The placeholder value SHOULD be `?`, unless it already has a defined meaning in the given database system, +in which case the instrumentation MAY choose a different placeholder. + +Placeholders in a parameterized query SHOULD not be sanitized. E.g. `where id = $1` can be captured as is. + ## Semantic Conventions for specific database technologies More specific Semantic Conventions are defined for the following database technologies: diff --git a/docs/database/elasticsearch.md b/docs/database/elasticsearch.md index 12dbd1e5ad..d881f79ace 100644 --- a/docs/database/elasticsearch.md +++ b/docs/database/elasticsearch.md @@ -74,7 +74,9 @@ Tracing instrumentations that do so, MUST also set `http.request.method_original **[10]:** When communicating with an Elastic Cloud deployment, this should be collected from the "X-Found-Handling-Cluster" HTTP response header. -**[11]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +**[11]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). +For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk. **[12]:** Should be collected by default for search-type queries and only if there is sanitization that excludes sensitive information. diff --git a/docs/database/mssql.md b/docs/database/mssql.md index c345b60833..6d03232088 100644 --- a/docs/database/mssql.md +++ b/docs/database/mssql.md @@ -52,9 +52,11 @@ In the case of `EXEC`, this SHOULD be the stored procedure name that is being ex **[8]:** If using a port other than the default port for this DBMS and if `server.address` is set. -**[9]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +**[9]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). +For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk. -**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. +**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). **[11]:** When observed from the client side, and when communicating through an intermediary, `server.address` SHOULD represent the server address behind any intermediaries, for example proxies, if it's available. diff --git a/docs/database/sql.md b/docs/database/sql.md index 46d4ba036a..115ec29eaa 100644 --- a/docs/database/sql.md +++ b/docs/database/sql.md @@ -91,9 +91,11 @@ In the case of `EXEC`, this SHOULD be the stored procedure name that is being ex **[8]:** If using a port other than the default port for this DBMS and if `server.address` is set. -**[9]:** For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +**[9]:** For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). +For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. +Even though parameterized query text can potentially have sensitive data, by using a parameterized query the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit to observability of capturing the static part of the query text by default outweighs the risk. -**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. +**[10]:** SHOULD be collected by default only if there is sanitization that excludes sensitive information. See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). **[11]:** When observed from the client side, and when communicating through an intermediary, `server.address` SHOULD represent the server address behind any intermediaries, for example proxies, if it's available. diff --git a/model/registry/db.yaml b/model/registry/db.yaml index c6af1415db..f1efd77a5f 100644 --- a/model/registry/db.yaml +++ b/model/registry/db.yaml @@ -54,9 +54,15 @@ groups: brief: > The database query being executed. note: > + For sanitization see [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). + For batch operations, if the individual operations are known to have the same query text then that query text SHOULD be used, otherwise all of the individual query texts SHOULD be concatenated with separator `; ` or some other database system specific separator if more applicable. + + Even though parameterized query text can potentially have sensitive data, by using a parameterized query + the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit + to observability of capturing the static part of the query text by default outweighs the risk. examples: ['SELECT * FROM wuser_table where username = ?', 'SET mykey "WuValue"'] - id: query.parameter type: template[string] diff --git a/model/trace/database.yaml b/model/trace/database.yaml index 83208f686c..24d92636dd 100644 --- a/model/trace/database.yaml +++ b/model/trace/database.yaml @@ -13,10 +13,6 @@ groups: Parameterized query text SHOULD be collected by default (the query parameter values themselves are opt-in, see [`db.query.parameter.`](../../docs/attributes-registry/db.md)). - note: - Even though parameterized query text can potentially have sensitive data, by using a parameterized query - the user is giving a strong signal that any sensitive data will be passed as parameter values, and the benefit - to observability of capturing the static part of the query text by default outweighs the risk. - ref: db.query.parameter requirement_level: opt_in @@ -29,6 +25,7 @@ groups: requirement_level: recommended: > SHOULD be collected by default only if there is sanitization that excludes sensitive information. + See [Sanitization of `db.query.text`](../../docs/database/database-spans.md#sanitization-of-dbquerytext). - ref: db.query.parameter requirement_level: opt_in - ref: db.collection.name