Skip to content

Add support for filtering traces for certain commands #3519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 14, 2025
Merged

Add support for filtering traces for certain commands #3519

merged 4 commits into from
Oct 14, 2025

Conversation

Sovietaced
Copy link
Contributor

@Sovietaced Sovietaced commented Sep 14, 2025
edited
Loading

Closes #3516

redisotel can generate traces for Redis commands that include sensitive data (ie. hello command). There currently exists an option to disable the db.statement attribute in traces but this is a global setting.

This pull request adds support for a configurable command filter that will omit traces for commands that filter returns true for. It also adds a basic command filter to filter out sensitive data by default which I feel like should be the correct behavior to prevent security incidents.

@Sovietaced
Add support for filtering commands when tracing
28ab5c9 
Signed-off-by: Jason Parraga <sovietaced@gmail.com>
@Sovietaced Sovietaced marked this pull request as ready for review September 14, 2025 17:46
@Sovietaced Sovietaced changed the title Add support for filtering commands when tracing Add support for filtering traces for certain commands Sep 14, 2025
@Sovietaced
Filter sensitive data by default
83c73f2 
Signed-off-by: Jason Parraga <sovietaced@gmail.com>
@ndyakov
Copy link
Member

ndyakov commented Sep 15, 2025

Hello @Sovietaced and thank you for your contribution. Maybe @vmihailenco can take a look at this. If he doesn't I will around the end of the month.

ndyakov
ndyakov previously approved these changes Sep 17, 2025
View reviewed changes
@ndyakov
Copy link
Member

ndyakov commented Sep 17, 2025

@Sovietaced I can see we have #3481 opened as well, I personally prefer the filtering approach in this PR, but let's discuss with @vmihailenco.

@htemelski-redis feel free to decide which one you prefer when you are back from vacation.

@htemelski-redis
Copy link
Contributor

I also do like this approach.

My only concern is the introduction of the defaultCommandFilter. It changes the tracing behaviour and some people may overlook it when upgrading the go-redis version.

A better approach, in my opinion, would be to rename it to BasicCommandFilter and leave the default filter to be nil

@Sovietaced
Copy link
Contributor Author

My only concern is the introduction of the defaultCommandFilter. It changes the tracing behaviour and some people may overlook it when upgrading the go-redis version.

A better approach, in my opinion, would be to rename it to BasicCommandFilter and leave the default filter to be nil

Ultimately it is up to you all so I'm fine with updating the pull request with whatever decision you make.

My preference is to provide safe defaults that don't cause security incidents since many folks will not spend time customizing these things.

@Sovietaced
Address comments
2caa9d4 
Signed-off-by: Jason Parraga <sovietaced@gmail.com>
@ndyakov
Copy link
Member

ndyakov commented Oct 9, 2025

I do agree with @Sovietaced that we would like to hide the hello and acl commands by default. This may be considered a bugfix, not a breaking change. cc @htemelski-redis

ndyakov
ndyakov approved these changes Oct 14, 2025
View reviewed changes
Copy link
Member

@ndyakov ndyakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving this, will merge it instead of the alternative.

@ndyakov ndyakov merged commit f7eed76 into redis:master Oct 14, 2025
23 checks passed
@ndyakov ndyakov mentioned this pull request Oct 14, 2025
Closed
@ndyakov ndyakov added the bug label Oct 14, 2025
ndyakov added a commit that referenced this pull request Oct 14, 2025
@Sovietaced @ndyakov
Add support for filtering traces for certain commands (#3519)
7706f88 
* Add support for filtering commands when tracing

Signed-off-by: Jason Parraga <sovietaced@gmail.com>

* Filter sensitive data by default

Signed-off-by: Jason Parraga <sovietaced@gmail.com>

* Address comments

Signed-off-by: Jason Parraga <sovietaced@gmail.com>

---------

Signed-off-by: Jason Parraga <sovietaced@gmail.com>
Co-authored-by: Nedyalko Dyakov <1547186+ndyakov@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndyakov ndyakov ndyakov approved these changes

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

redisotel leaks passwords in traces

3 participants

@Sovietaced @ndyakov @htemelski-redis