-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sql-obfuscation
does not sanitize SQL that exceed size limits
#1146
Comments
Going to summarize our conversation from slack. Here are a few things I would like for us to consider:
The OTel spec does not have limits unless specified by Should we only apply a limit if this value is set? In addition to that, if other attributes are truncated, the spec doesn't require that we add any diagnostic information for why an attribute was truncated.
|
Whoops, linked this to #1149, but since we have more ideas about how to fix obfuscation described in this issue, I reopened it. |
@arielvalentin - New versions of the pg, mysql2, and trilogy gems have been released with the #1149 bugfix. See: #1162 |
👋 This issue has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
Description of the bug
A recent change to how SQL query comments are pre-prepended to the statement has resulted in triggering logic in the SQL obfuscation helper that bypasses executing the regular expression to sanitize the substring of query.
opentelemetry-ruby-contrib/helpers/sql-obfuscation/lib/opentelemetry/helpers/sql_obfuscation.rb
Line 118 in f817d6b
The regular expression does not seem to match on the comments index and ends up returning the raw contents of the SQL:
We must ensure that SQL is sanitized or omit the statement entirely.
Share details about your runtime
Operating system details: Linux, Ubuntu 20.04 LTS
RUBY_ENGINE: "ruby"
RUBY_VERSION: "3.3.4"
RAILS_VERSION: "8.0.0.alpha"
Share a simplified reproduction if possible
The text was updated successfully, but these errors were encountered: