fix: redact sensitive headers in tonic debug logs

rornic · rornic · commit eae289fc9389 · 2026-05-03T14:37:42.000+01:00
Adds function that ensures headers that look sensitive are redacted, to be used inside debug logs.

Attempted a parameterised test but `run_env_test` only accepts static strings for env vars.
diff --git a/opentelemetry-otlp/src/exporter/tonic/mod.rs b/opentelemetry-otlp/src/exporter/tonic/mod.rs
@@ -231,7 +231,9 @@ impl TonicExporterBuilder {
 
         let compression = self.resolve_compression(signal_compression_var)?;
 
-        let (headers_from_env, headers_for_logging) = parse_headers_from_env(signal_headers_var);
+        let (headers_from_env, all_headers) = parse_headers_from_env(signal_headers_var);
+        let headers_for_logging = redact_sensitive_headers(all_headers);
+
         let metadata = merge_metadata_with_headers_from_env(
             self.tonic_config.metadata.unwrap_or_default(),
             headers_from_env,
@@ -608,6 +610,25 @@ fn parse_headers_from_env(signal_headers_var: &str) -> (HeaderMap, Vec<(String,
     )
 }
 
+fn redact_sensitive_headers(headers: Vec<(String, String)>) -> Vec<(String, String)> {
+    headers
+        .iter()
+        .map(|(k, v)| {
+            let header_name = k.to_lowercase();
+            let value = v.to_lowercase();
+            if header_name.contains("auth")
+                || header_name.contains("api-key")
+                || header_name.contains("token")
+                || value.contains("bearer")
+            {
+                (k.clone(), "[REDACTED]".to_string())
+            } else {
+                (k.clone(), v.clone())
+            }
+        })
+        .collect()
+}
+
 /// Expose interface for modifying [TonicConfig] fields within the exporter builders.
 pub(crate) trait HasTonicConfig {
     /// Return a mutable reference to the export config within the exporter builders.
@@ -807,7 +828,7 @@ impl<B: HasTonicConfig> WithTonicConfig for B {
 #[cfg(test)]
 mod tests {
     use crate::exporter::tests::run_env_test;
-    use crate::exporter::tonic::WithTonicConfig;
+    use crate::exporter::tonic::{redact_sensitive_headers, WithTonicConfig};
     #[cfg(feature = "grpc-tonic")]
     use crate::exporter::Compression;
     use crate::{TonicExporterBuilder, OTEL_EXPORTER_OTLP_TRACES_ENDPOINT};
@@ -981,6 +1002,24 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_sensitive_headers_redacted() {
+        run_env_test(
+            vec![(
+                OTEL_EXPORTER_OTLP_HEADERS,
+                "authorization=Bearer my-secret-token",
+            )],
+            || {
+                let headers_from_env = super::parse_headers_from_env(OTEL_EXPORTER_OTLP_HEADERS);
+                let redacted = redact_sensitive_headers(headers_from_env.1);
+
+                let (_, header_value) =
+                    redacted.iter().find(|(k, _)| k == "authorization").unwrap();
+                assert_eq!(*header_value, "[REDACTED]".to_string())
+            },
+        );
+    }
+
     #[test]
     fn test_priority_of_signal_env_over_generic_env_for_endpoint() {
         run_env_test(
