Redact Elasticsearch Passwords from Microsoft Azure Application Insights Using C#

Written by Ken Dale

We use Microsoft Azure Application Insights in our web applications. It logs tons of useful data about our applications, including web requests and requests to dependencies like databases. We also use Elasticsearch communicating over HTTPS. When an Elasticsearch url contains a password (https://user:passw0rd@example.com) we found it is logged to Application Insights in cleartext.

That said, here’s how to redact the password from any urls containing passwords:

Code

Here’s an ITelemetryProcessor implementation that redacts passwords from HTTP and HTTPS urls.

using Microsoft.ApplicationInsights.Channel;
using Microsoft.ApplicationInsights.DataContracts;
using Microsoft.ApplicationInsights.Extensibility;
using System.Text.RegularExpressions;

namespace WebApplication
{
    public class RemoveHttpUrlPasswordsTelemetry : ITelemetryProcessor
    {
        private static readonly Regex removePasswordRegex =
            new Regex(@"http(s)?:\/\/.+:(?<password>.+)@", RegexOptions.IgnoreCase | RegexOptions.Compiled);

        private readonly ITelemetryProcessor next;

        public RemoveHttpUrlPasswordsTelemetry(ITelemetryProcessor next)
        {
            this.next = next;
        }

        public void Process(ITelemetry item)
        {
            var request = item as DependencyTelemetry;

            if (request != null && request.Type == "Http")
            {
#pragma warning disable CS0618 // Type or member is obsolete
                request.CommandName = RemovePasswordFromUrl(request.CommandName);
#pragma warning restore CS0618 // Type or member is obsolete
                request.Data = RemovePasswordFromUrl(request.Data);
            }

            next.Process(item);
        }

        private static string RemovePasswordFromUrl(string url)
        {
            var match = removePasswordRegex.Match(url).Groups["password"];

            if (match.Success)
            {
                url = url.Replace(match.Value, "REDACTED");
            }

            return url;
        }
    }
}

Next, use the RemoveHttpUrlPasswordsTelemetry class with Application Insights. There’s ASP.NET and ASP.NET Core examples at https://docs.microsoft.com/en-us/azure/azure-monitor/app/api-filtering-sampling#filtering-itelemetryprocessor.

This can help raise your security by not storing passwords in logs!

Leveling Up Your Project Testing with tSQLt Unit Tests for SQL Queries

Creating A Pagination Component With Astro

Generating your own fonts with Fantasicon

Using custom elements and pinia with Vue 3

RIMdev Radio: Building with Astro

Recreating the Spotify "Like" Button

.finally understanding the promise chain

Vertical Alignment Bug with Icons

Building an Online Store with Platform UI and Hugo

Welcome to Platform UI - our CSS framework

Animated Scroll Effects

Targeting Devices For Hover Effects: A web developer's journey

Getting to work on your new Apple Silicon Macbook Pro

UX Writing Lessons for Technical Writers

Creating RSS Feeds Using Hugo

CSS Custom Properties

Get branching with Git

Prettifying Long Commit Histories with Git

Hugo Archetypes to the Rescue!

CSS Only Dropdown Menu

Redact Elasticsearch Passwords from Microsoft Azure Application Insights Using C#

Code

Published August 09, 2019 by

Suggested Reading

Namespace changes with Entity Framework 6 migrations

Fixing slow logins

OrderBy Distinct Gotcha

A Year of Open Source (2016)

What Is A Renaissance And What Does It Have To Do With .Net?

DbDataReader and SQL Server Data Chunking

Search

Redact Elasticsearch Passwords from Microsoft Azure Application Insights Using C#

Code

Published August 09, 2019 by

Suggested Reading