Sanitize sensitive portion of the value of url and urls keys

Closes gh-25387
4 years ago · 10ef991e1d
parent e3ad6b5c35
commit 10ef991e1d
3 changed files with 14 additions and 6 deletions
--- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
+++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -48,7 +48,7 @@ public class Sanitizer {
 			"key", "token", ".*credentials.*", "vcap_services", "sun.java.command"));
 	private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>(
-			Arrays.asList("uri", "uris", "address", "addresses"));
+			Arrays.asList("uri", "uris", "url", "urls", "address", "addresses"));
 	private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("\\[?[A-Za-z]+://.+:(.*)@.+$");
--- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
+++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -123,8 +123,8 @@ class SanitizerTests {
 	}
 	private static Stream<String> matchingUriUserInfoKeys() {
-		return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "address", "my.address", "myaddress",
+		return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "url", "my.url", "myurl", "urls",
-				"addresses", "my.addresses", "myaddresses");
+				"my.urls", "myurls", "address", "my.address", "myaddress", "addresses", "my.addresses", "myaddresses");
 	}
 	@Test
--- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc
+++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc
@ -2340,7 +2340,15 @@ The patterns to use can be customized using the `management.endpoint.env.keys-to
 Spring Boot uses sensible defaults for such keys: any key ending with the word "password", "secret", "key", "token", "vcap_services", "sun.java.command" is entirely sanitized.
 Additionally, any key that holds the word `credentials` as part of the key is sanitized (configured as a regular expression, i.e. `+*credentials.*+`).
-Furthermore, Spring Boot only sanitizes the sensitive portion of URIs for keys which end with "uri", "uris", "address", or "addresses".
+Furthermore, Spring Boot only sanitizes the sensitive portion of URI-like values for keys with one of the following endings:
 - `address`
 - `addresses`
 - `uri`
 - `uris`
 - `url`
 - `urls`
 The sensitive portion of the URI is identified using the format `<scheme>://<username>:<password>@<host>:<port>/`.
 For example, for the property `myclient.uri=http://user1:password1@localhost:8081`, the resulting sanitized value is
 `++http://user1:******@localhost:8081++`.