Sanitize sensitive portion of the value of url and urls keys

Closes gh-25387
pull/25411/head
Andy Wilkinson 4 years ago
parent e3ad6b5c35
commit 10ef991e1d

@ -1,5 +1,5 @@
/*
* Copyright 2012-2020 the original author or authors.
* Copyright 2012-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -48,7 +48,7 @@ public class Sanitizer {
"key", "token", ".*credentials.*", "vcap_services", "sun.java.command"));
private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>(
Arrays.asList("uri", "uris", "address", "addresses"));
Arrays.asList("uri", "uris", "url", "urls", "address", "addresses"));
private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("\\[?[A-Za-z]+://.+:(.*)@.+$");

@ -1,5 +1,5 @@
/*
* Copyright 2012-2020 the original author or authors.
* Copyright 2012-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -123,8 +123,8 @@ class SanitizerTests {
}
private static Stream<String> matchingUriUserInfoKeys() {
return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "address", "my.address", "myaddress",
"addresses", "my.addresses", "myaddresses");
return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "url", "my.url", "myurl", "urls",
"my.urls", "myurls", "address", "my.address", "myaddress", "addresses", "my.addresses", "myaddresses");
}
@Test

@ -2340,7 +2340,15 @@ The patterns to use can be customized using the `management.endpoint.env.keys-to
Spring Boot uses sensible defaults for such keys: any key ending with the word "password", "secret", "key", "token", "vcap_services", "sun.java.command" is entirely sanitized.
Additionally, any key that holds the word `credentials` as part of the key is sanitized (configured as a regular expression, i.e. `+*credentials.*+`).
Furthermore, Spring Boot only sanitizes the sensitive portion of URIs for keys which end with "uri", "uris", "address", or "addresses".
Furthermore, Spring Boot only sanitizes the sensitive portion of URI-like values for keys with one of the following endings:
- `address`
- `addresses`
- `uri`
- `uris`
- `url`
- `urls`
The sensitive portion of the URI is identified using the format `<scheme>://<username>:<password>@<host>:<port>/`.
For example, for the property `myclient.uri=http://user1:password1@localhost:8081`, the resulting sanitized value is
`++http://user1:******@localhost:8081++`.

Loading…
Cancel
Save