When monitoring a .NET application, the app owner expressed concerns that sensitive data is visible to the APM users in the Investigator and requested that such information not be recorded.
Specifically that the username and password used to connect to a database instance is shown as part of a metric name, for example:

      Backends| on -3306 user <username>;password <password> 

 

 

Release : 10.7.0

Component : APM Agents

The application makes a connection to MySQL and documented connection information puts the username and password as part of the connection string, for example

"server=127.0.0.1;uid=root;pwd=12345;database=test"

It appears that the whole connection string is processed as the database name so the username and password are posted as metrics

A workaround was supplied to change the reference in the pbds so it would hard-code the database name.
The update was required in both sqlagent.pbd and errors.pbd

Essentially, all references to {database} were replaced by a selected DB name. For example to fix a name of MyDB you would change the lines

from

     TraceOneMethodIfFlagged: SQLAgentConnections Open SqlMethodTraceIncrementor "Backends|{database}:Connection Count"

to

     TraceOneMethodIfFlagged: SQLAgentConnections Open SqlMethodTraceIncrementor "Backends|MyDB:Connection Count"


The limitation of this is that it will not report communications where there are multiple databases/datasources; everything will be collected under the name you choose.


The problem was not investigated further than this at this time.

Information from MySQL developer guides about .NET connection strings

https://dev.mysql.com/doc/connector-net/en/connector-net-connections-string.html