contrib/go-redis/redis.v8: add Option to Exclude Raw Command #1026
Conversation
Co-authored-by: Gabriel Aszalos <[email protected]>
Co-authored-by: Gabriel Aszalos <[email protected]>
|
@shannontan-bolt : Thanks for working on this. I am also in need of this change. |
There was a problem hiding this comment.
Thanks for this PR @shannontan-bolt and sorry for not receiving a reply earlier.
I'm on the profiling team, so please take my comments with a grain of salt, but here is what I think:
- This change is absolutely needed. This is a DDoS vector and a potential leak for PII. I would suggest
excludeRawCommandto betrueby default. - The code LGTM (but I have not tested it beyond visual inspection).
@knusbaum PTAL as well.
| @@ -102,14 +102,18 @@ func (ddh *datadogHook) BeforeProcess(ctx context.Context, cmd redis.Cmder) (con | |||
| raw := cmd.String() | |||
| length := strings.Count(raw, " ") | |||
| p := ddh.params | |||
| opts := make([]ddtrace.StartSpanOption, 0, 5+len(ddh.additionalTags)+1) // 5 options below + for additionalTags + for analyticsRate | |||
| var opts []ddtrace.StartSpanOption | |||
There was a problem hiding this comment.
NIT: Generally I'm okay with not pre-allocating the arrays backing a slice unless it has a significant performance impact. I'm not sure if this analysis has been done here, but assuming it was, this change here could be a small performance regression.
Have you considered just keeping this line (and the one in BeforeProcessPipeline) as-is? As far as I can tell that should work just fine.
|
|
||
| if !p.config.excludeRawCommand { | ||
| opts = append(opts, tracer.Tag("redis.raw_command", raw)) | ||
| } | ||
|
|
There was a problem hiding this comment.
| if !p.config.excludeRawCommand { | |
| opts = append(opts, tracer.Tag("redis.raw_command", raw)) | |
| } | |
| if !p.config.excludeRawCommand { | |
| opts = append(opts, tracer.Tag("redis.raw_command", raw)) | |
| } |
|
|
||
| if !p.config.excludeRawCommand { | ||
| opts = append(opts, | ||
| tracer.Tag("redis.raw_command", raw), | ||
| tracer.Tag(ext.ResourceName, raw)) | ||
| } | ||
|
|
There was a problem hiding this comment.
| if !p.config.excludeRawCommand { | |
| opts = append(opts, | |
| tracer.Tag("redis.raw_command", raw), | |
| tracer.Tag(ext.ResourceName, raw)) | |
| } | |
| if !p.config.excludeRawCommand { | |
| opts = append(opts, | |
| tracer.Tag("redis.raw_command", raw), | |
| tracer.Tag(ext.ResourceName, raw)) | |
| } |
gbbr
changed the title
| // WithExcludeRawCommand sets the option to exclude the raw command | ||
| // for when the command/cache might contain sensitive data |
There was a problem hiding this comment.
I don't understand this part. The Datadog Agent obfuscates this tag and hides all parameters. Why would the fact that it contains sensitive data be an issue?
| // WithExcludeRawCommand sets the option to exclude the raw command | |
| // for when the command/cache might contain sensitive data | |
| // SkipRawCommand determines the integration to skip setting the raw command | |
| // in the redis.raw_command tag of a span. |
As for the doc, we should be a bit more specific on what it does.
|
|
||
| // WithExcludeRawCommand sets the option to exclude the raw command | ||
| // for when the command/cache might contain sensitive data | ||
| func WithExcludeRawCommand(exclude bool) ClientOption { |
There was a problem hiding this comment.
| func WithExcludeRawCommand(exclude bool) ClientOption { | |
| func SkipRawCommand(skip bool) ClientOption { |
I think this would be better, unless it's bad that we don't have the With* prefix?
| if !p.config.excludeRawCommand { | ||
| opts = append(opts, | ||
| tracer.Tag("redis.raw_command", raw), | ||
| tracer.Tag(ext.ResourceName, raw)) |
There was a problem hiding this comment.
Sorry for missing this. The resource name is 100% mandatory for all spans. We can not leave it out.
|
@gbbr, to be perfectly honest, it might be easier if you try to fix this. I find that my local environment regarding dependencies + tests for this repo is kinda messed up so I find it hard to test this work on it without my IDE complaining about missing dependencies after syncing the go.mod file. That's very confusing though that the ResourceName requires the raw command. The raw command contains the entire value that we are sending to Redis, which can include sensitive values. Imagine for example that you wanted to put IP address as a rate limit key. The real issue for us was that we were trying to save an object of data in a Redis cache and that meant this large blob was putting put as a tag with tracing. If it is required though, which is fine, we should probably use something else? |
Not exactly sure I understand what there is to fix? All you need to do is to run
Let's continue this discussion in the issue you've opened (#1022). I've already explained there that these values are obfuscated, and no sensitive values will leave the Datadog Agent.
Answered in the issue. |
|
Superseded by #1091 |
Intends on solving #1022.
I couldn't figure out how to get the tests run locally sadly, so 🤞🏼 that this works.