Sql sanitizer should by default treat double-quoted fragments as string literals (#15582)

Co-authored-by: Trask Stalnaker <trask.stalnaker@gmail.com>

Author: laurit

conventions/src/main/kotlin/io/opentelemetry/instrumentation/gradle/StaticImportFormatter.kt

@@ -61,6 +61,11 @@ class StaticImportFormatter : FormatterFunc, Serializable {
         "io.opentelemetry.instrumentation.api.internal.SemconvStability",
         "emit[a-zA-Z0-9]*"
       ),
+      Triple(
+        "SqlDialect",
+        "io.opentelemetry.instrumentation.api.incubator.semconv.db.SqlDialect", 
+        "DOUBLE_QUOTES_ARE_[A-Z_]+"
+      ),
       Triple("Collectors", "java.util.stream.Collectors", "[a-z][a-zA-Z0-9]*"),
     )
 

instrumentation-api-incubator/src/main/java/io/opentelemetry/instrumentation/api/incubator/semconv/db/DbClientSpanNameExtractor.java

@@ -183,6 +183,7 @@ private SqlClientSpanNameExtractor(SqlClientAttributesGetter<REQUEST, ?> getter)
     @Override
     public String extract(REQUEST request) {
       String namespace = getter.getDbNamespace(request);
+      SqlDialect dialect = getter.getSqlDialect(request);
       Collection<String> rawQueryTexts = getter.getRawQueryTexts(request);
 
       if (rawQueryTexts.isEmpty()) {
@@ -202,8 +203,8 @@ public String extract(REQUEST request) {
         if (rawQueryTexts.size() > 1) { // for backcompat(?)
           return computeSpanName(namespace, null, null, null);
         }
-        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyze(rawQueryTexts.iterator().next());
-
+        SqlQuery analyzedQuery =
+            SqlQueryAnalyzerUtil.analyze(rawQueryTexts.iterator().next(), dialect);
         return computeSpanName(
             namespace,
             analyzedQuery.getOperationName(),
@@ -213,7 +214,7 @@ public String extract(REQUEST request) {
 
       if (rawQueryTexts.size() == 1) {
         String rawQueryText = rawQueryTexts.iterator().next();
-        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyzeWithSummary(rawQueryText);
+        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyzeWithSummary(rawQueryText, dialect);
         boolean batch = isBatch(request);
         String querySummary = analyzedQuery.getQuerySummary();
         if (querySummary != null) {
@@ -223,7 +224,7 @@ public String extract(REQUEST request) {
             getter, request, batch ? "BATCH" : null, null, analyzedQuery.getStoredProcedureName());
       }
 
-      MultiQuery multiQuery = MultiQuery.analyzeWithSummary(rawQueryTexts, false);
+      MultiQuery multiQuery = MultiQuery.analyzeWithSummary(rawQueryTexts, dialect, false);
       String querySummary = multiQuery.getQuerySummary();
       if (querySummary != null) {
         return querySummary;
@@ -266,7 +267,9 @@ public String extract(REQUEST request) {
       Collection<String> rawQueryTexts = getter.getRawQueryTexts(request);
       String operationName = null;
       if (rawQueryTexts.size() == 1) {
-        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyze(rawQueryTexts.iterator().next());
+        String rawQuery = rawQueryTexts.iterator().next();
+        SqlDialect dialect = getter.getSqlDialect(request);
+        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyze(rawQuery, dialect);
         operationName = analyzedQuery.getOperationName();
       }
       if (operationName == null) {

instrumentation-api-incubator/src/main/java/io/opentelemetry/instrumentation/api/incubator/semconv/db/MultiQuery.java

@@ -24,12 +24,12 @@ private MultiQuery(
   }
 
   static MultiQuery analyzeWithSummary(
-      Collection<String> rawQueryTexts, boolean querySanitizationEnabled) {
+      Collection<String> rawQueryTexts, SqlDialect dialect, boolean querySanitizationEnabled) {
     UniqueValue uniqueStoredProcedureName = new UniqueValue();
     Set<String> uniqueQueryTexts = new LinkedHashSet<>();
     UniqueValue uniqueQuerySummary = new UniqueValue();
     for (String rawQueryText : rawQueryTexts) {
-      SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyzeWithSummary(rawQueryText);
+      SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyzeWithSummary(rawQueryText, dialect);
       uniqueStoredProcedureName.set(analyzedQuery.getStoredProcedureName());
       uniqueQueryTexts.add(querySanitizationEnabled ? analyzedQuery.getQueryText() : rawQueryText);
       uniqueQuerySummary.set(analyzedQuery.getQuerySummary());

instrumentation-api-incubator/src/main/java/io/opentelemetry/instrumentation/api/incubator/semconv/db/SqlClientAttributesExtractor.java

@@ -80,14 +80,15 @@ public static <REQUEST, RESPONSE> SqlClientAttributesExtractorBuilder<REQUEST, R
   @Override
   public void onStart(AttributesBuilder attributes, Context parentContext, REQUEST request) {
     Collection<String> rawQueryTexts = getter.getRawQueryTexts(request);
+    SqlDialect dialect = getter.getSqlDialect(request);
 
     Long batchSize = getter.getDbOperationBatchSize(request);
     boolean isBatch = batchSize != null && batchSize > 1;
 
     if (emitOldDatabaseSemconv()) {
       if (rawQueryTexts.size() == 1) { // for backcompat(?)
         String rawQueryText = rawQueryTexts.iterator().next();
-        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyze(rawQueryText);
+        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyze(rawQueryText, dialect);
         String operationName = analyzedQuery.getOperationName();
         attributes.put(
             DB_STATEMENT, querySanitizationEnabled ? analyzedQuery.getQueryText() : rawQueryText);
@@ -106,7 +107,7 @@ public void onStart(AttributesBuilder attributes, Context parentContext, REQUEST
       boolean shouldSanitize = querySanitizationEnabled && !parameterizedQuery;
       if (rawQueryTexts.size() == 1) {
         String rawQueryText = rawQueryTexts.iterator().next();
-        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyzeWithSummary(rawQueryText);
+        SqlQuery analyzedQuery = SqlQueryAnalyzerUtil.analyzeWithSummary(rawQueryText, dialect);
         attributes.put(DB_QUERY_TEXT, shouldSanitize ? analyzedQuery.getQueryText() : rawQueryText);
         String querySummary = analyzedQuery.getQuerySummary();
         attributes.put(
@@ -115,7 +116,8 @@ public void onStart(AttributesBuilder attributes, Context parentContext, REQUEST
         attributes.put(DB_STORED_PROCEDURE_NAME, analyzedQuery.getStoredProcedureName());
       } else if (rawQueryTexts.size() > 1) {
         MultiQuery multiQuery =
-            MultiQuery.analyzeWithSummary(getter.getRawQueryTexts(request), shouldSanitize);
+            MultiQuery.analyzeWithSummary(
+                getter.getRawQueryTexts(request), dialect, shouldSanitize);
         attributes.put(DB_QUERY_TEXT, join("; ", multiQuery.getQueryTexts()));
         attributes.put(DB_QUERY_SUMMARY, multiQuery.getQuerySummary());
         attributes.put(DB_STORED_PROCEDURE_NAME, multiQuery.getStoredProcedureName());

instrumentation-api-incubator/src/main/java/io/opentelemetry/instrumentation/api/incubator/semconv/db/SqlClientAttributesGetter.java

@@ -52,6 +52,9 @@ default String getDbQuerySummary(REQUEST request) {
     return null;
   }
 
+  /** Returns the SQL dialect used by the database. */
+  SqlDialect getSqlDialect(REQUEST request);
+
   /**
    * Get the raw SQL query texts. The values returned by this method are later sanitized by the
    * {@link SqlClientAttributesExtractor} before being set as span attribute.

instrumentation-api-incubator/src/main/java/io/opentelemetry/instrumentation/api/incubator/semconv/db/SqlDialect.java

@@ -5,9 +5,51 @@
 
 package io.opentelemetry.instrumentation.api.incubator.semconv.db;
 
-/** Enumeration of sql dialects that are handled differently by {@link SqlQueryAnalyzer}. */
-public enum SqlDialect {
-  DEFAULT,
-  // couchbase uses double quotes for string literals
-  COUCHBASE
+import com.google.auto.value.AutoValue;
+
+/** Describes SQL dialect options that affect how {@link SqlQueryAnalyzer} processes queries. */
+@AutoValue
+public abstract class SqlDialect {
+
+  /**
+   * Dialect where double-quoted fragments are treated as string literals and therefore sanitized
+   * (replaced with {@code ?}).
+   *
+   * <p>This is a safer choice if you don't know how the database interprets double-quoted tokens.
+   * If the database actually uses double quotes for identifiers, the downside is that identifier
+   * names are replaced with {@code ?}, reducing diagnostic clarity. By contrast, choosing {@link
+   * #DOUBLE_QUOTES_ARE_IDENTIFIERS} incorrectly would fail to sanitize sensitive string-literal
+   * values.
+   */
+  public static final SqlDialect DOUBLE_QUOTES_ARE_STRING_LITERALS = builder().build();
+
+  /**
+   * Dialect where double-quoted fragments are treated as identifiers (e.g. column/table names) and
+   * therefore left intact during sanitization. Use this only for databases where double quotes
+   * always denote identifiers.
+   */
+  public static final SqlDialect DOUBLE_QUOTES_ARE_IDENTIFIERS =
+      builder().setDoubleQuotesAreIdentifiers(true).build();
+
+  SqlDialect() {}
+
+  static Builder builder() {
+    return new AutoValue_SqlDialect.Builder().setDoubleQuotesAreIdentifiers(false);
+  }
+
+  /**
+   * Returns {@code true} if the dialect uses double quotes for identifiers, {@code false} if double
+   * quotes are used for string literals.
+   */
+  abstract boolean doubleQuotesAreIdentifiers();
+
+  @AutoValue.Builder
+  abstract static class Builder {
+
+    Builder() {}
+
+    abstract Builder setDoubleQuotesAreIdentifiers(boolean doubleQuotesAreIdentifiers);
+
+    abstract SqlDialect build();
+  }
 }

instrumentation-api-incubator/src/main/java/io/opentelemetry/instrumentation/api/incubator/semconv/db/SqlQueryAnalyzer.java

@@ -5,6 +5,7 @@
 
 package io.opentelemetry.instrumentation.api.incubator.semconv.db;
 
+import static io.opentelemetry.instrumentation.api.incubator.semconv.db.SqlDialect.DOUBLE_QUOTES_ARE_STRING_LITERALS;
 import static io.opentelemetry.instrumentation.api.internal.SupportabilityMetrics.CounterNames.SQL_SANITIZER_CACHE_MISS;
 
 import com.google.auto.value.AutoValue;
@@ -33,8 +34,12 @@ private SqlQueryAnalyzer(boolean querySanitizationEnabled) {
     this.querySanitizationEnabled = querySanitizationEnabled;
   }
 
+  /**
+   * @deprecated Use {@link #analyze(String, SqlDialect)} and pass an explicit dialect.
+   */
+  @Deprecated
   public SqlQuery analyze(@Nullable String query) {
-    return analyze(query, SqlDialect.DEFAULT);
+    return analyze(query, DOUBLE_QUOTES_ARE_STRING_LITERALS);
   }
 
   public SqlQuery analyze(@Nullable String query, SqlDialect dialect) {
@@ -56,9 +61,14 @@ private static SqlQuery analyzeImpl(String query, SqlDialect dialect) {
     return AutoSqlSanitizer.sanitize(query, dialect);
   }
 
-  /** Analyze and extract query summary. */
+  /**
+   * Analyze and extract query summary.
+   *
+   * @deprecated Use {@link #analyzeWithSummary(String, SqlDialect)} and pass an explicit dialect.
+   */
+  @Deprecated
   public SqlQuery analyzeWithSummary(@Nullable String query) {
-    return analyzeWithSummary(query, SqlDialect.DEFAULT);
+    return analyzeWithSummary(query, DOUBLE_QUOTES_ARE_STRING_LITERALS);
   }
 
   /** Analyze and extract query summary. */
@@ -82,8 +92,8 @@ private static SqlQuery analyzeWithSummaryImpl(String query, SqlDialect dialect)
   }
 
   // visible for tests
-  static boolean isCached(String query) {
-    return sqlToQueryCache.get(CacheKey.create(query, SqlDialect.DEFAULT)) != null;
+  static boolean isCached(String query, SqlDialect dialect) {
+    return sqlToQueryCache.get(CacheKey.create(query, dialect)) != null;
   }
 
   @AutoValue

instrumentation-api-incubator/src/main/java/io/opentelemetry/instrumentation/api/incubator/semconv/db/SqlQueryAnalyzerUtil.java

@@ -5,6 +5,7 @@
 
 package io.opentelemetry.instrumentation.api.incubator.semconv.db;
 
+import io.opentelemetry.instrumentation.api.incubator.semconv.db.SqlQueryAnalyzer.CacheKey;
 import io.opentelemetry.instrumentation.api.instrumenter.Instrumenter;
 import io.opentelemetry.instrumentation.api.internal.InstrumenterContext;
 import java.util.HashMap;
@@ -17,17 +18,21 @@
 class SqlQueryAnalyzerUtil {
   private static final SqlQueryAnalyzer analyzer = SqlQueryAnalyzer.create(true);
 
-  static SqlQuery analyze(String queryText) {
-    Map<String, SqlQuery> map =
+  static SqlQuery analyze(String queryText, SqlDialect dialect) {
+    Map<CacheKey, SqlQuery> map =
         InstrumenterContext.computeIfAbsent("sanitized-sql-map", unused -> new HashMap<>());
-    return map.computeIfAbsent(queryText, analyzer::analyze);
+    return map.computeIfAbsent(
+        CacheKey.create(queryText, dialect),
+        key -> analyzer.analyze(key.getQueryText(), key.getDialect()));
   }
 
-  static SqlQuery analyzeWithSummary(String queryText) {
-    Map<String, SqlQuery> map =
+  static SqlQuery analyzeWithSummary(String queryText, SqlDialect dialect) {
+    Map<CacheKey, SqlQuery> map =
         InstrumenterContext.computeIfAbsent(
             "sanitized-sql-map-with-summary", unused -> new HashMap<>());
-    return map.computeIfAbsent(queryText, analyzer::analyzeWithSummary);
+    return map.computeIfAbsent(
+        CacheKey.create(queryText, dialect),
+        key -> analyzer.analyzeWithSummary(key.getQueryText(), key.getDialect()));
   }
 
   private SqlQueryAnalyzerUtil() {}

instrumentation-api-incubator/src/main/jflex/SqlSanitizer.jflex

@@ -45,7 +45,7 @@ WHITESPACE           = [ \t\r\n]+
 %{
   static SqlQuery sanitize(String statement, SqlDialect dialect) {
     AutoSqlSanitizer sanitizer = new AutoSqlSanitizer(new java.io.StringReader(statement));
-    sanitizer.dialect = dialect;
+    sanitizer.doubleQuotesAreIdentifiers = dialect.doubleQuotesAreIdentifiers();
     try {
       while (!sanitizer.yyatEOF()) {
         int token = sanitizer.yylex();
@@ -119,7 +119,7 @@ WHITESPACE           = [ \t\r\n]+
   private boolean insideComment = false;
   private Operation operation = NoOp.INSTANCE;
   private boolean extractionDone = false;
-  private SqlDialect dialect;
+  private boolean doubleQuotesAreIdentifiers;
 
   private void setOperation(Operation operation) {
     if (this.operation == NoOp.INSTANCE) {
@@ -560,13 +560,21 @@ WHITESPACE           = [ \t\r\n]+
       }
 
   {DOUBLE_QUOTED_STR} {
-          if (dialect == SqlDialect.COUCHBASE) {
-            builder.append('?');
-          } else {
-            if (!insideComment && !extractionDone) {
-              extractionDone = operation.handleIdentifier();
-            }
+          // Always notify the operation about double-quoted tokens regardless of dialect so
+          // that table name extraction works correctly even when the dialect treats them as
+          // string literals. For example, SELECT * FROM "my_table" should extract the table
+          // name "my_table" whether or not the dialect sanitizes the token.
+          //
+          // The extractionDone guard ensures handleIdentifier() is a no-op once extraction
+          // is complete, so there is no risk of leaking sensitive string content into the
+          // span name.
+          if (!insideComment && !extractionDone) {
+            extractionDone = operation.handleIdentifier();
+          }
+          if (doubleQuotesAreIdentifiers) {
             appendCurrentFragment();
+          } else {
+            builder.append('?');
           }
           if (isOverLimit()) return YYEOF;
       }

instrumentation-api-incubator/src/main/jflex/SqlSanitizerWithSummary.jflex

@@ -1094,13 +1094,21 @@ WHITESPACE           = [ \t\r\n]+
       }
 
   {DOUBLE_QUOTED_STR} {
-          if (dialect == SqlDialect.COUCHBASE) {
-            builder.append('?');
-          } else {
-            if (!insideComment) {
-              operation.handleIdentifier();
-            }
+          if (!insideComment) {
+            // Always notify the operation about double-quoted tokens regardless of dialect so
+            // that summarization works correctly even when the dialect treats them as string
+            // literals. For example, SELECT * FROM "my_table" should produce the summary
+            // "SELECT my_table" whether or not the dialect sanitizes the token.
+            //
+            // The operation's own state guards (e.g. identifierCaptured, captureTableList)
+            // ensure handleIdentifier() is a no-op when not structurally expected, so there
+            // is no risk of leaking sensitive string content into the summary.
+            operation.handleIdentifier();
+          }
+          if (dialect.doubleQuotesAreIdentifiers()) {
             appendCurrentFragment();
+          } else {
+            builder.append('?');
           }
           if (isOverLimit()) return YYEOF;
       }