search

instana / nodejs

Node.js in-process collectors for Instana
MIT License
69 stars 37 forks source link

Automatically mask basic-auth url credentials #327

Closed chatko closed 3 years ago

chatko commented 3 years ago

In the context of a node runtime, some application dependencies that are using a legacy basic-auth in the URL may get exposed in (plain-text) within an account.

For example, a call such as: https://username:password@some.domain.com/api/health

May expose the username:password. We'd like a regex to detect this well known pattern and mask the sensitive information in the agent. This is already happening within other runtimes (java/go)

Instana pointed to this area for a fix: https://github.com/instana/nodejs-sensor/blob/main/packages/core/src/tracing/instrumentation/protocols/httpClient.js#L137

basti1302 commented 3 years ago

@chatko This has landed in version 1.125.0.