From 035fc650a251f1208c6a1c515335d059d793d6d4 Mon Sep 17 00:00:00 2001
From: Anthony Mirabella <a9@aneurysm9.com>
Date: Thu, 13 May 2021 13:05:44 -0400
Subject: [PATCH] Do not include authentication information in the http.url
 attribute (#1919)

Signed-off-by: Anthony J Mirabella <a9@aneurysm9.com>
---
 CHANGELOG.md         |  1 +
 semconv/http.go      |  8 ++++++++
 semconv/http_test.go | 13 +++++++++++++
 3 files changed, 22 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index af0c2db06..4a5e0078b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,6 +62,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 - Remove the `Tracer` method from the `Span` interface in the `go.opentelemetry.io/otel/trace` package.
   Using the same tracer that created a span introduces the error where an instrumentation library's `Tracer` is used by other code instead of their own.
   The `"go.opentelemetry.io/otel".Tracer` function or a `TracerProvider` should be used to acquire a library specific `Tracer` instead. (#1900)
+- The `http.url` attribute generated by `HTTPClientAttributesFromHTTPRequest` will no longer include username or password information. (#1919)
 
 ### Fixed
 
diff --git a/semconv/http.go b/semconv/http.go
index b80707981..1efd28771 100644
--- a/semconv/http.go
+++ b/semconv/http.go
@@ -145,8 +145,16 @@ func HTTPClientAttributesFromHTTPRequest(request *http.Request) []attribute.KeyV
 		attrs = append(attrs, HTTPMethodKey.String(http.MethodGet))
 	}
 
+	// remove any username/password info that may be in the URL
+	// before adding it to the attributes
+	userinfo := request.URL.User
+	request.URL.User = nil
+
 	attrs = append(attrs, HTTPURLKey.String(request.URL.String()))
 
+	// restore any username/password info that was removed
+	request.URL.User = userinfo
+
 	return append(attrs, httpCommonAttributesFromHTTPRequest(request)...)
 }
 
diff --git a/semconv/http_test.go b/semconv/http_test.go
index 91068442e..99498705c 100644
--- a/semconv/http_test.go
+++ b/semconv/http_test.go
@@ -956,6 +956,19 @@ func TestHTTPClientAttributesFromHTTPRequest(t *testing.T) {
 				attribute.String("http.scheme", "http"),
 			},
 		},
+		{
+			name:   "authentication information is stripped",
+			method: "",
+			url: &url.URL{
+				Path: "/user/123",
+				User: url.UserPassword("foo", "bar"),
+			},
+			expected: []attribute.KeyValue{
+				attribute.String("http.method", "GET"),
+				attribute.String("http.url", "/user/123"),
+				attribute.String("http.scheme", "http"),
+			},
+		},
 	}
 
 	for _, tc := range testCases {