Incorrect attribute value set for TraceAttributes::DB_NAME in wpdb.__connect

[jeff-dewan-lumen]

Describe your environment

The environment is a docker container running WordPress in AWS ECS.

php -v

PHP 8.2.19 (cli) (built: Jun  6 2024 02:19:49) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.19, Copyright (c) Zend Technologies
    with Zend OPcache v8.2.19, Copyright (c), by Zend Technologies

composer.json

    "require": {
        "open-telemetry/opentelemetry-auto-wordpress": "^0.0.15",
        "open-telemetry/sdk": "^1.0",
        "open-telemetry/exporter-otlp": "^1.0",
        "php-http/guzzle7-adapter": "^1.0"
    },

Steps to reproduce Follow the installation steps and inspect the attributes of a trace named wpdb.__connect.

What is the expected behavior? Expected the database name to appear as the value for the db.name attribute

What is the actual behavior? The database password appears as the value for db.name instead.

Additional context

The attribute for the DB name was being incorrectly set to the DB password, resulting in exposed credentials when viewing traces.

WordpressInstrumentation.php

                $span = self::builder($instrumentation, 'wpdb.__connect', $function, $class, $filename, $lineno)
                    ->setAttribute(TraceAttributes::DB_USER, $params[0] ?? 'unknown')
                    ->setAttribute(TraceAttributes::DB_NAME, $params[1] ?? 'unknown')
                    ->setAttribute(TraceAttributes::DB_SYSTEM, 'mysql')
                    ->startSpan();

wp-includes/class-wpdb.php

public function __construct( $dbuser, $dbpassword, $dbname, $dbhost ) {

params[1] in the instrumentation corresponds to $dbpassword which should never be exposed in a trace.

See also https://github.com/open-telemetry/opentelemetry-php-contrib/pull/272

[weslenteche]

@brettmc If no one is working on this problem, could you assign it to me?