Closed jeff-dewan-lumen closed 5 hours ago
Describe your environment
The environment is a docker container running WordPress in AWS ECS.
php -v
PHP 8.2.19 (cli) (built: Jun 6 2024 02:19:49) (NTS) Copyright (c) The PHP Group Zend Engine v4.2.19, Copyright (c) Zend Technologies with Zend OPcache v8.2.19, Copyright (c), by Zend Technologies
composer.json
"require": { "open-telemetry/opentelemetry-auto-wordpress": "^0.0.15", "open-telemetry/sdk": "^1.0", "open-telemetry/exporter-otlp": "^1.0", "php-http/guzzle7-adapter": "^1.0" },
Steps to reproduce Follow the installation steps and inspect the attributes of a trace named wpdb.__connect.
wpdb.__connect
What is the expected behavior? Expected the database name to appear as the value for the db.name attribute
What is the actual behavior? The database password appears as the value for db.name instead.
Additional context
The attribute for the DB name was being incorrectly set to the DB password, resulting in exposed credentials when viewing traces.
WordpressInstrumentation.php
$span = self::builder($instrumentation, 'wpdb.__connect', $function, $class, $filename, $lineno) ->setAttribute(TraceAttributes::DB_USER, $params[0] ?? 'unknown') ->setAttribute(TraceAttributes::DB_NAME, $params[1] ?? 'unknown') ->setAttribute(TraceAttributes::DB_SYSTEM, 'mysql') ->startSpan();
wp-includes/class-wpdb.php
public function __construct( $dbuser, $dbpassword, $dbname, $dbhost ) {
params[1] in the instrumentation corresponds to $dbpassword which should never be exposed in a trace.
params[1]
$dbpassword
See also https://github.com/open-telemetry/opentelemetry-php-contrib/pull/272
@brettmc If no one is working on this problem, could you assign it to me?
Describe your environment
The environment is a docker container running WordPress in AWS ECS.
php -v
composer.json
Steps to reproduce Follow the installation steps and inspect the attributes of a trace named
wpdb.__connect
.What is the expected behavior? Expected the database name to appear as the value for the db.name attribute
What is the actual behavior? The database password appears as the value for db.name instead.
Additional context
The attribute for the DB name was being incorrectly set to the DB password, resulting in exposed credentials when viewing traces.
WordpressInstrumentation.php
wp-includes/class-wpdb.php
params[1]
in the instrumentation corresponds to$dbpassword
which should never be exposed in a trace.See also https://github.com/open-telemetry/opentelemetry-php-contrib/pull/272