Don't save pg.values on span

[pauldraper]

Or at least make it a configuration option.

1. They are frequently sensitive. (There is more general issue with masking sensitive information, but query values are very often sensitive.)

2. They can be extremely large. Especially arrays.

[vmarchaud]

For the record mysql, ioredis and redis does it too. Mongodb is the only one that "hide" values by replacing them with ?

[sergioregueira]

Storing pg.values by default will eventually leak sensitive data such as user credentials. This issue should be fixed ASAP.

If you agree, I will immediately submit a PR to make it optional unless a storeValues flag is set to true explicitly following an approach similar to opentelemetry-plugin-mongodb.

[dyladan]

What does the spec say about it currently? It was my understanding that data scrubbing was supposed to happen in the collector?

[sergioregueira]

On the one hand, Semantic conventions for General Identity Attributes says the following about enduser.id:

Given the sensitive nature of this information, SDKs and exporters SHOULD drop these attributes by default and then provide a configuration parameter to turn on retention for use cases where the information is required and would not violate any policies or regulations.

On the other hand, Semantic conventions for database Call-level attributes:

• db.statement may be sanitized to exclude sensitive information.
• It is recommended to remove embedded credentials from db.connection_string.
• (no explicit mention to query parameters in the whole page)

IMHO, despite you can filter it out later in the collector/exporter, the data is so sensitive that we should not store it nor send it anywhere unless it is explicitly requested; as MongoDB plugin does with enhancedDatabaseReporting (plugin options).

Anyway, I think that the plugin should warn that it currently logs query parameters by default.

[dyladan]

I think that spec wording is sufficient to change to scrub by default. We may want to provide a config option to capture query values, but I agree it is very sensitive and we shouldn't export it if we can avoid it.

[sergioregueira]

In that case, I would like to contribute submitting that pull request before the end of the week.

The plugin will not add that pg.values attribute to the span unless enhancedDatabaseReporting flag is explicitly set to true on plugin config.

I will replicate as well the behavior in the plugins that @vmarchaud said once this one is approved.

[nwalters512]

@pauldraper I think #174 should have resolved this - can this issue be closed now?

[pauldraper]

Yes, thanks!