Scrub secrets from process arguments

laurit · laurit · commit 32e7957bf471 · 2025-02-05T14:36:26.000+02:00
diff --git a/instrumentation/resources/library/build.gradle.kts b/instrumentation/resources/library/build.gradle.kts
@@ -84,6 +84,17 @@ testing {
 }
 
 tasks {
+  test {
+    dependsOn(jar)
+    doFirst {
+      // use test the final jar instead of directories with built classes to test the mrjar functionality
+      classpath = jar.get().outputs.files + classpath
+    }
+    systemProperty("testSecret", "test")
+    systemProperty("testPassword", "test")
+    systemProperty("testNotRedacted", "test")
+  }
+
   check {
     dependsOn(testing.suites)
   }
diff --git a/instrumentation/resources/library/src/main/java/io/opentelemetry/instrumentation/resources/ProcessResource.java b/instrumentation/resources/library/src/main/java/io/opentelemetry/instrumentation/resources/ProcessResource.java
@@ -14,7 +14,6 @@
 import java.lang.management.ManagementFactory;
 import java.lang.management.RuntimeMXBean;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Locale;
 import java.util.regex.Pattern;
@@ -35,6 +34,9 @@ public final class ProcessResource {
   // Important: This is statically used in buildResource, so must be declared/initialized first.
   private static final Pattern JAR_FILE_PATTERN =
       Pattern.compile("^\\S+\\.(jar|war)", Pattern.CASE_INSENSITIVE);
+  // scrub values for system properties containing "secret" or "password" in the name
+  private static final Pattern SCRUB_PATTERN =
+      Pattern.compile("(-D.*(password|secret).*=).*", Pattern.CASE_INSENSITIVE);
 
   private static final Resource INSTANCE = buildResource();
 
@@ -94,12 +96,14 @@ private static Resource doBuildResource() {
       if (args.length > 0) {
         List<String> commandArgs = new ArrayList<>(args.length + 1);
         commandArgs.add(executablePath.toString());
-        commandArgs.addAll(Arrays.asList(args));
+        for (String arg : args) {
+          commandArgs.add(scrub(arg));
+        }
         attributes.put(PROCESS_COMMAND_ARGS, commandArgs);
       } else { // Java 8
         StringBuilder commandLine = new StringBuilder(executablePath);
         for (String arg : runtime.getInputArguments()) {
-          commandLine.append(' ').append(arg);
+          commandLine.append(' ').append(scrub(arg));
         }
         // sun.java.command isn't well document and may not be available on all systems.
         String javaCommand = System.getProperty("sun.java.command");
@@ -118,5 +122,9 @@ private static Resource doBuildResource() {
     return Resource.create(attributes.build(), SchemaUrls.V1_24_0);
   }
 
+  private static String scrub(String argument) {
+    return SCRUB_PATTERN.matcher(argument).replaceFirst("$1***");
+  }
+
   private ProcessResource() {}
 }
diff --git a/instrumentation/resources/library/src/test/java/io/opentelemetry/instrumentation/resources/ProcessResourceTest.java b/instrumentation/resources/library/src/test/java/io/opentelemetry/instrumentation/resources/ProcessResourceTest.java
@@ -19,32 +19,39 @@ class ProcessResourceTest {
   @Test
   @SetSystemProperty(key = "os.name", value = "Linux 4.12")
   void notWindows() {
-    Resource resource = ProcessResource.buildResource();
-    assertThat(resource.getSchemaUrl()).isEqualTo(SchemaUrls.V1_24_0);
-    Attributes attributes = resource.getAttributes();
-
-    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_PID)).isGreaterThan(1);
-    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
-        .matches(".*[/\\\\]java");
-    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
-        .contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH));
-    // With Java 9+ and a compiled jar, ResourceAttributes.PROCESS_COMMAND_ARGS
-    // will be set instead of ResourceAttributes.PROCESS_COMMAND_LINE
+    assertResource(false);
   }
 
   @Test
   @SetSystemProperty(key = "os.name", value = "Windows 10")
   void windows() {
+    assertResource(true);
+  }
+
+  private static void assertResource(boolean windows) {
     Resource resource = ProcessResource.buildResource();
     assertThat(resource.getSchemaUrl()).isEqualTo(SchemaUrls.V1_24_0);
     Attributes attributes = resource.getAttributes();
 
     assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_PID)).isGreaterThan(1);
     assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
-        .matches(".*[/\\\\]java\\.exe");
-    assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
-        .contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH));
+        .matches(windows ? ".*[/\\\\]java\\.exe" : ".*[/\\\\]java");
+
     // With Java 9+ and a compiled jar, ResourceAttributes.PROCESS_COMMAND_ARGS
     // will be set instead of ResourceAttributes.PROCESS_COMMAND_LINE
+    boolean java8 = "1.8".equals(System.getProperty("java.specification.version"));
+    if (java8) {
+      assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_LINE))
+          .contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
+          .contains("-DtestSecret=***")
+          .contains("-DtestPassword=***")
+          .contains("-DtestNotRedacted=test");
+    } else {
+      assertThat(attributes.get(ProcessIncubatingAttributes.PROCESS_COMMAND_ARGS))
+          .contains(attributes.get(ProcessIncubatingAttributes.PROCESS_EXECUTABLE_PATH))
+          .contains("-DtestSecret=***")
+          .contains("-DtestPassword=***")
+          .contains("-DtestNotRedacted=test");
+    }
   }
 }
