merge 1.1.1 hotfix to main (#43688)

TimothyMothra · rajkumar-rangaraj · web-flow · commit 1950db6e1cb3 · 2024-04-29T18:13:25.000Z
* [AzureMonitorDistro] upgrade OpenTelemetry for hotfix (#43432) * hotfix * update changelog * update other packages as well * Update sdk/monitor/Azure.Monitor.OpenTelemetry.AspNetCore/CHANGELOG.md Co-authored-by: Rajkumar Rangaraj <rajrang@microsoft.com> * update changelog with feedback * fix link * add link to breaking changes section * change Distro to override Disable * update changelog * update changelog * update changelog * typo * update changelog --------- Co-authored-by: Rajkumar Rangaraj <rajrang@microsoft.com> * fix broken link * fix broken link * update changelog * edit changelog --------- Co-authored-by: Rajkumar Rangaraj <rajrang@microsoft.com>
diff --git a/eng/Packages.Data.props b/eng/Packages.Data.props
@@ -168,11 +168,11 @@
 
   <ItemGroup Condition="$(MSBuildProjectName.StartsWith('Azure.Monitor.OpenTelemetry'))">
     <!-- OpenTelemetry dependency approved for Azure.Monitor.OpenTelemetry.Exporter package only -->
-    <PackageReference Update="OpenTelemetry" Version="1.8.0" />
-    <PackageReference Update="OpenTelemetry.Exporter.InMemory" Version="1.8.0" />
-    <PackageReference Update="OpenTelemetry.Extensions.Hosting" Version="1.8.0" />
-    <PackageReference Update="OpenTelemetry.Instrumentation.AspNetCore" Version="1.7.0" />
-    <PackageReference Update="OpenTelemetry.Instrumentation.Http" Version="1.7.0" />
+    <PackageReference Update="OpenTelemetry" Version="1.8.1" />
+    <PackageReference Update="OpenTelemetry.Exporter.InMemory" Version="1.8.1" />
+    <PackageReference Update="OpenTelemetry.Extensions.Hosting" Version="1.8.1" />
+    <PackageReference Update="OpenTelemetry.Instrumentation.AspNetCore" Version="1.8.1" />
+    <PackageReference Update="OpenTelemetry.Instrumentation.Http" Version="1.8.1" />
     <PackageReference Update="OpenTelemetry.PersistentStorage.FileSystem" Version="1.0.0" />
     <PackageReference Update="Microsoft.AspNetCore.Http.Abstractions" Version="[2.1.1,6.0)" />
     <PackageReference Update="Microsoft.AspNetCore.Http.Features" Version="[2.1.1,6.0)" />
@@ -334,7 +334,7 @@
     <PackageReference Update="NSubstitute" Version="3.1.0" />
     <PackageReference Update="NUnit" Version="3.13.2" />
     <PackageReference Update="NUnit3TestAdapter" Version="4.4.2" />
-    <PackageReference Update="OpenTelemetry" Version="1.8.0" />
+    <PackageReference Update="OpenTelemetry" Version="1.8.1" />
     <PackageReference Update="OpenTelemetry.Instrumentation.SqlClient" Version="1.6.0-beta.3" />
     <PackageReference Update="Polly" Version="7.1.0" />
     <PackageReference Update="Polly.Contrib.WaitAndRetry" Version="1.1.1" />
diff --git a/sdk/monitor/Azure.Monitor.OpenTelemetry.AspNetCore/CHANGELOG.md b/sdk/monitor/Azure.Monitor.OpenTelemetry.AspNetCore/CHANGELOG.md
@@ -101,6 +101,18 @@
   resource detector to include the Azure Container Apps resource detector.
   ([#41803](https://github.com/Azure/azure-sdk-for-net/pull/41803))
 
+## 1.1.1 (2024-04-26)
+
+### Other Changes
+
+* Update OpenTelemetry dependencies.
+  ([#43432](https://github.com/Azure/azure-sdk-for-net/pull/43432))
+  - OpenTelemetry 1.8.1
+  - OpenTelemetry.Extensions.Hosting 1.8.1
+  - OpenTelemetry.Instrumentation.AspNetCore 1.8.1
+  - OpenTelemetry.Instrumentation.Http 1.8.1
+  - This update is a response to [CVE-2024-32028](https://nvd.nist.gov/vuln/detail/CVE-2024-32028)
+
 ## 1.1.0 (2024-01-25)
 
 ### Other Changes
diff --git a/sdk/monitor/Azure.Monitor.OpenTelemetry.AspNetCore/src/OpenTelemetryBuilderExtensions.cs b/sdk/monitor/Azure.Monitor.OpenTelemetry.AspNetCore/src/OpenTelemetryBuilderExtensions.cs
@@ -8,6 +8,7 @@
 using Azure.Monitor.OpenTelemetry.AspNetCore.LiveMetrics;
 using Azure.Monitor.OpenTelemetry.Exporter;
 using Azure.Monitor.OpenTelemetry.Exporter.Internals.Platform;
+using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
@@ -221,6 +222,25 @@ public static OpenTelemetryBuilder UseAzureMonitor(this OpenTelemetryBuilder bui
                 return new Manager(options, new DefaultPlatform());
             });
 
+            builder.Services.AddOptions<AzureMonitorOptions>()
+                .Configure<IConfiguration>((options, config) =>
+                {
+                    // This is a temporary workaround for hotfix GHSA-vh2m-22xx-q94f.
+                    // https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-vh2m-22xx-q94f
+                    // We are disabling the workaround set by OpenTelemetry.Instrumentation.AspNetCore v1.8.1 and OpenTelemetry.Instrumentation.Http v1.8.1.
+                    // The OpenTelemetry Community is deciding on an official stance on this issue and we will align with that final decision.
+                    // TODO: FOLLOW UP ON: https://github.com/open-telemetry/semantic-conventions/pull/961 (2024-04-26)
+                    if (config[EnvironmentVariableConstants.ASPNETCORE_DISABLE_URL_QUERY_REDACTION] == null)
+                    {
+                        config[EnvironmentVariableConstants.ASPNETCORE_DISABLE_URL_QUERY_REDACTION] = Boolean.TrueString;
+                    }
+
+                    if (config[EnvironmentVariableConstants.HTTPCLIENT_DISABLE_URL_QUERY_REDACTION] == null)
+                    {
+                        config[EnvironmentVariableConstants.HTTPCLIENT_DISABLE_URL_QUERY_REDACTION] = Boolean.TrueString;
+                    }
+                });
+
             return builder;
         }
 
diff --git a/sdk/monitor/Azure.Monitor.OpenTelemetry.Exporter/src/Internals/Platform/EnvironmentVariableConstants.cs b/sdk/monitor/Azure.Monitor.OpenTelemetry.Exporter/src/Internals/Platform/EnvironmentVariableConstants.cs
@@ -67,5 +67,23 @@ internal static class EnvironmentVariableConstants
         /// When set to true, exporter will emit resources as metric telemetry.
         /// </summary>
         public const string EXPORT_RESOURCE_METRIC = "OTEL_DOTNET_AZURE_MONITOR_ENABLE_RESOURCE_METRICS";
+
+        /// <summary>
+        /// By default, OpenTelemetry.Instrumenation.AspNetCore v1.8.1 will redact query strings values from URLs.
+        /// This environment variable can be set to true to disable this behavior.
+        /// </summary>
+        /// <remarks>
+        /// <see href="https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md#181"/>.
+        /// </remarks>
+        public const string ASPNETCORE_DISABLE_URL_QUERY_REDACTION = "OTEL_DOTNET_EXPERIMENTAL_ASPNETCORE_DISABLE_URL_QUERY_REDACTION";
+
+        /// <summary>
+        /// By default, OpenTelemetry.Instrumenation.Http v1.8.1 will redact query string values from URLs.
+        /// This environment variable can be set to true to disable this behavior.
+        /// </summary>
+        /// <remarks>
+        /// <see href="https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Instrumentation.Http/CHANGELOG.md#181"/>.
+        /// </remarks>
+        public const string HTTPCLIENT_DISABLE_URL_QUERY_REDACTION = "OTEL_DOTNET_EXPERIMENTAL_HTTPCLIENT_DISABLE_URL_QUERY_REDACTION";
     }
 }
