Do not include authentication information in the http.url attribute (#1919)

Signed-off-by: Anthony J Mirabella <a9@aneurysm9.com>

CHANGELOG.md

@@ -62,6 +62,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - Remove the `Tracer` method from the `Span` interface in the `go.opentelemetry.io/otel/trace` package.
   Using the same tracer that created a span introduces the error where an instrumentation library's `Tracer` is used by other code instead of their own.
   The `"go.opentelemetry.io/otel".Tracer` function or a `TracerProvider` should be used to acquire a library specific `Tracer` instead. (#1900)
+- The `http.url` attribute generated by `HTTPClientAttributesFromHTTPRequest` will no longer include username or password information. (#1919)
 
 ### Fixed
 

semconv/http.go

@@ -145,8 +145,16 @@ func HTTPClientAttributesFromHTTPRequest(request *http.Request) []attribute.KeyV
 		attrs = append(attrs, HTTPMethodKey.String(http.MethodGet))
 	}
 
+	// remove any username/password info that may be in the URL
+	// before adding it to the attributes
+	userinfo := request.URL.User
+	request.URL.User = nil
+
 	attrs = append(attrs, HTTPURLKey.String(request.URL.String()))
 
+	// restore any username/password info that was removed
+	request.URL.User = userinfo
+
 	return append(attrs, httpCommonAttributesFromHTTPRequest(request)...)
 }
 

semconv/http_test.go

@@ -956,6 +956,19 @@ func TestHTTPClientAttributesFromHTTPRequest(t *testing.T) {
 				attribute.String("http.scheme", "http"),
 			},
 		},
+		{
+			name:   "authentication information is stripped",
+			method: "",
+			url: &url.URL{
+				Path: "/user/123",
+				User: url.UserPassword("foo", "bar"),
+			},
+			expected: []attribute.KeyValue{
+				attribute.String("http.method", "GET"),
+				attribute.String("http.url", "/user/123"),
+				attribute.String("http.scheme", "http"),
+			},
+		},
 	}
 
 	for _, tc := range testCases {