Skip to content

metrics: sanitize RPC URLs before recording latency labels#103

Open
guandali wants to merge 2 commits intomainfrom
lli/rpc-endpoint-sanitize
Open

metrics: sanitize RPC URLs before recording latency labels#103
guandali wants to merge 2 commits intomainfrom
lli/rpc-endpoint-sanitize

Conversation

@guandali
Copy link
Copy Markdown
Contributor

@guandali guandali commented Apr 15, 2026
edited
Loading

Strip userinfo and query, redact path segments that look like API keys, and apply sanitization inside RecordRequest so Prometheus and OpenTelemetry never receive full credentials. Add synthetic table tests mirroring common provider URL shapes.

Description

Requires Dependencies

Resolves Dependencies

@guandali
metrics: sanitize RPC URLs before recording latency labels
33eebb5 
Strip userinfo and query, redact path segments that look like API keys,
and apply sanitization inside RecordRequest so Prometheus and OpenTelemetry
never receive full credentials. Add synthetic table tests mirroring common
provider URL shapes and an optional RPC_URL_SANITIZE_FIXTURES env-driven test
for local validation without committing secrets.
@guandali guandali requested a review from a team as a code owner April 15, 2026 15:42
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

👋 guandali, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026
edited
Loading

📊 API Diff Results

No changes detected for module github.com/smartcontractkit/chainlink-framework/metrics

View full report

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 33eebb506a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread metrics/sanitize_rpc_url.go
Comment on lines +41 to +42
if !isOpaqueURLPathToken(seg) {
return false
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Redact base64-style API key path segments

The sensitive-segment detector returns early unless the segment is strictly alphanumeric plus -/_, so path tokens containing common credential characters like + or = are treated as non-sensitive and exported unchanged. In environments where an RPC provider uses base64/base64-like keys in the URL path, RecordRequest will still emit full credentials into Prometheus and OpenTelemetry labels, which defeats the security goal of this change.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@ilija42 ilija42 Awaiting requested review from ilija42

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@guandali