Feature/db statement sanitizer #3554

src/OpenTelemetry.Instrumentation.EntityFrameworkCore/.publicApi/PublicAPI.Unshipped.txt

@@ -1,4 +1,6 @@
 OpenTelemetry.Instrumentation.EntityFrameworkCore.EntityFrameworkInstrumentationOptions
+OpenTelemetry.Instrumentation.EntityFrameworkCore.EntityFrameworkInstrumentationOptions.DbStatementSanitizerEnabled.get -> bool
+OpenTelemetry.Instrumentation.EntityFrameworkCore.EntityFrameworkInstrumentationOptions.DbStatementSanitizerEnabled.set -> void
 OpenTelemetry.Instrumentation.EntityFrameworkCore.EntityFrameworkInstrumentationOptions.EntityFrameworkInstrumentationOptions() -> void
 OpenTelemetry.Instrumentation.EntityFrameworkCore.EntityFrameworkInstrumentationOptions.Filter.get -> System.Func<string?, System.Data.IDbCommand!, bool>?
 OpenTelemetry.Instrumentation.EntityFrameworkCore.EntityFrameworkInstrumentationOptions.Filter.set -> void

src/OpenTelemetry.Instrumentation.EntityFrameworkCore/EntityFrameworkInstrumentationOptions.cs

@@ -4,6 +4,7 @@
 using System.Data;
 using System.Diagnostics;
 using Microsoft.Extensions.Configuration;
+using OpenTelemetry.Instrumentation.EntityFrameworkCore.Implementation;
 using static OpenTelemetry.Internal.DatabaseSemanticConventionHelper;
 
 namespace OpenTelemetry.Instrumentation.EntityFrameworkCore;
@@ -64,6 +65,25 @@ internal EntityFrameworkInstrumentationOptions(IConfiguration configuration)
     /// </remarks>
     public Func<string?, IDbCommand, bool>? Filter { get; set; }
 
+    /// <summary>
+    /// Gets or sets a value indicating whether SQL statements should be sanitized
+    /// before being recorded on activities. Default value: <see langword="true"/>.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// When enabled, SQL text is processed to remove literal values and comments
+    /// before it is stored in attributes such as <c>db.statement</c>.
+    /// </para>
+    /// <para>
+    /// <b>WARNING:</b> Disabling SQL statement sanitization may result in sensitive
+    /// data being recorded in telemetry.
+    /// </para>
+    /// <para>
+    /// <b>DbStatementSanitizerEnabled is only supported on .NET runtimes.</b>
+    /// </para>
+    /// </remarks>
+    public bool DbStatementSanitizerEnabled { get; set; } = true;
+
     /// <summary>
     /// Gets or sets a value indicating whether or not the <see cref="EntityFrameworkInstrumentation"/>
     /// should add the names and values of query parameters as the <c>db.query.parameter.{key}</c> tag.

src/OpenTelemetry.Instrumentation.EntityFrameworkCore/Implementation/EntityFrameworkDiagnosticListener.cs

@@ -175,7 +175,7 @@ public override void OnEventWritten(string name, object? payload)
                                 case CommandType.Text:
                                     // Only SQL-like providers support sanitization as we are not
                                     // able to sanitize arbitrary commands for other query dialects.
-                                    bool sanitizeQuery = IsSqlLikeProvider(providerName);
+                                    bool sanitizeQuery = IsSqlLikeProvider(providerName) && this.options.DbStatementSanitizerEnabled;
 
                                     DatabaseSemanticConventionHelper.ApplyConventionsForQueryText(
                                         activity,

src/OpenTelemetry.Instrumentation.SqlClient/.publicApi/PublicAPI.Unshipped.txt

@@ -1,5 +1,7 @@
 #nullable enable
 OpenTelemetry.Instrumentation.SqlClient.SqlClientTraceInstrumentationOptions
+OpenTelemetry.Instrumentation.SqlClient.SqlClientTraceInstrumentationOptions.DbStatementSanitizerEnabled.get -> bool
+OpenTelemetry.Instrumentation.SqlClient.SqlClientTraceInstrumentationOptions.DbStatementSanitizerEnabled.set -> void
 OpenTelemetry.Instrumentation.SqlClient.SqlClientTraceInstrumentationOptions.SqlClientTraceInstrumentationOptions() -> void
 OpenTelemetry.Metrics.SqlClientMeterProviderBuilderExtensions
 OpenTelemetry.Trace.TracerProviderBuilderExtensions

src/OpenTelemetry.Instrumentation.SqlClient/Implementation/SqlClientDiagnosticListener.cs

@@ -168,7 +168,8 @@ public override void OnEventWritten(string name, object? payload)
                                         activity,
                                         commandText,
                                         options.EmitOldAttributes,
-                                        options.EmitNewAttributes);
+                                        options.EmitNewAttributes,
+                                        options.DbStatementSanitizerEnabled);
                                     break;
 
                                 case CommandType.TableDirect:

src/OpenTelemetry.Instrumentation.SqlClient/SqlClientTraceInstrumentationOptions.cs

@@ -106,6 +106,25 @@ internal SqlClientTraceInstrumentationOptions(IConfiguration configuration)
     /// href="https://github.com/open-telemetry/semantic-conventions/blob/main/docs/exceptions/exceptions-spans.md"/>.</para>
     /// </remarks>
     public bool RecordException { get; set; }
+
+    /// <summary>
+    /// Gets or sets a value indicating whether SQL statements should be sanitized
+    /// before being recorded on activities. Default value: <see langword="true"/>.
+    /// </summary>
+    /// <remarks>
+    /// <para>
+    /// When enabled, SQL text is processed to remove literal values and comments
+    /// before it is stored in attributes such as <c>db.statement</c>.
+    /// </para>
+    /// <para>
+    /// <b>WARNING:</b> Disabling SQL statement sanitization may result in sensitive
+    /// data being recorded in telemetry.
+    /// </para>
+    /// <para>
+    /// <b>DbStatementSanitizerEnabled is only supported on .NET runtimes.</b>
+    /// </para>
+    /// </remarks>
+    public bool DbStatementSanitizerEnabled { get; set; } = true;
 #endif
 
 #if !NETFRAMEWORK

test/OpenTelemetry.Instrumentation.SqlClient.Tests/SqlClientIntegrationTests.cs

@@ -32,6 +32,7 @@ public SqlClientIntegrationTests(SqlClientIntegrationTestsFixture fixture)
 #if NET
     [InlineData(CommandType.Text, GetContextInfoQuery, GetContextInfoQuery, false, false, false)]
     [InlineData(CommandType.Text, GetContextInfoQuery, GetContextInfoQuery, false, false, true)]
+    [InlineData(CommandType.Text, "select 1/0", "select 1/0", true, true, false, false)]
 #endif
     [InlineData(CommandType.StoredProcedure, "sp_who", "sp_who")]
     public void SuccessfulCommandTest(
@@ -40,7 +41,8 @@ public void SuccessfulCommandTest(
         string? sanitizedCommandText,
         bool isFailure = false,
         bool recordException = false,
-        bool enableTransaction = false)
+        bool enableTransaction = false,
+        bool dbStatementSanitizerEnabled = true)
     {
         using var scope = EnvironmentVariableScope.Create(
             SqlClientTraceInstrumentationOptions.ContextPropagationLevelEnvVar,
@@ -60,6 +62,7 @@ public void SuccessfulCommandTest(
             {
 #if NET
                 options.RecordException = recordException;
+                options.DbStatementSanitizerEnabled = dbStatementSanitizerEnabled;
 #endif
             })
             .Build();