Updated the aiohttp-server implementation and the query redaction logic

Author: rads-1996

instrumentation/opentelemetry-instrumentation-aiohttp-server/src/opentelemetry/instrumentation/aiohttp_server/__init__.py

@@ -149,16 +149,6 @@ def collect_request_attributes(request: web.Request) -> Dict:
         str(request.url),
     )
 
-    user_info = request.headers.get("Authorization")
-    if user_info and http_url and "@" not in http_url:
-        # If there are credentials in Authorization header but not in URL
-        # Add dummy credentials that will be redacted
-        parsed = urllib.parse.urlparse(http_url)
-        netloc_with_auth = f"username:password@{parsed.netloc}"
-        http_url = urllib.parse.urlunparse(
-            (parsed.scheme, netloc_with_auth, parsed.path, parsed.params, parsed.query, parsed.fragment)
-        )
-        
     query_string = request.query_string
     if query_string and http_url:
         if isinstance(query_string, bytes):

instrumentation/opentelemetry-instrumentation-aiohttp-server/tests/test_aiohttp_server_integration.py

@@ -185,7 +185,7 @@ async def handler(request):
     span = spans[0]
     assert span.attributes[HTTP_METHOD] == "GET"
     assert span.attributes[HTTP_STATUS_CODE] == 200
-    assert span.attributes[HTTP_URL] == f"http://REDACTED:REDACTED@{server.host}:{server.port}/status/200?Signature=REDACTED"
+    assert span.attributes[HTTP_URL] == f"http://{server.host}:{server.port}/status/200?Signature=REDACTED"
 
     # Clean up
     AioHttpServerInstrumentor().uninstrument()

util/opentelemetry-util-http/src/opentelemetry/util/http/__init__.py

@@ -20,7 +20,7 @@
 from re import compile as re_compile
 from re import search
 from typing import Callable, Iterable, overload
-from urllib.parse import urlparse, urlunparse
+from urllib.parse import urlparse, urlunparse, parse_qs, urlencode
 
 from opentelemetry.semconv.trace import SpanAttributes
 
@@ -263,33 +263,19 @@ def redact_query_parameters(url: str) -> str:
         parsed = urlparse(url)
         if not parsed.query:  # No query parameters to redact
             return url
-            
-        # Check if any of the sensitive parameters are in the query
-        has_sensitive_params = any(param + "=" in parsed.query for param in PARAMS_TO_REDACT)
-        if not has_sensitive_params:
+        query_params = parse_qs(parsed.query)
+        if not any(param in query_params for param in PARAMS_TO_REDACT):
             return url
-            
-        # Process query parameters
-        query_parts: list[str] = []
-        for query_part in parsed.query.split("&"):
-            if "=" in query_part:
-                param_name, _ = query_part.split("=", 1) # Parameter name and value
-                if param_name in PARAMS_TO_REDACT:
-                    query_parts.append(f"{param_name}=REDACTED")
-                else:
-                    query_parts.append(query_part)
-            else:
-                query_parts.append(query_part)  # Handle params with no value
-                
-        # Reconstruct the URL with redacted query parameters
-        redacted_query = "&".join(query_parts)
+        for param in PARAMS_TO_REDACT:
+            if param in query_params:
+                query_params[param] = ["REDACTED"]
         return urlunparse(
             (
                 parsed.scheme,
                 parsed.netloc,
                 parsed.path,
                 parsed.params,
-                redacted_query,
+                urlencode(query_params, doseq=True),
                 parsed.fragment,
             )
         )