From bafa9c47846c60ad7b8e7a942d5380fc2cdffa93 Mon Sep 17 00:00:00 2001 From: Billy Tobon Date: Fri, 23 Jul 2021 15:10:29 -0400 Subject: [PATCH 1/2] Sanitize URIs with non-alpha characters in their schemes See gh-27482 --- .../org/springframework/boot/actuate/endpoint/Sanitizer.java | 2 +- .../springframework/boot/actuate/endpoint/SanitizerTests.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java index d0c2e73539..d6956b337a 100644 --- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java +++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java @@ -50,7 +50,7 @@ public class Sanitizer { private static final Set URI_USERINFO_KEYS = new LinkedHashSet<>( Arrays.asList("uri", "uris", "address", "addresses")); - private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("\\[?[A-Za-z]+://.+:(.*)@.+$"); + private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("^[A-Za-z][A-Za-z0-9\\+\\.\\-]+://.+:(.*)@.+$"); private Pattern[] keysToSanitize; diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java index 0a8f0b22cf..4da21fe1d3 100644 --- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java +++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java @@ -52,8 +52,8 @@ class SanitizerTests { @MethodSource("matchingUriUserInfoKeys") void uriWithSingleValueWithPasswordShouldBeSanitized(String key) { Sanitizer sanitizer = new Sanitizer(); - assertThat(sanitizer.sanitize(key, "http://user:password@localhost:8080")) - .isEqualTo("http://user:******@localhost:8080"); + assertThat(sanitizer.sanitize(key, "view-source://user:password@localhost:8080")) + .isEqualTo("view-source://user:******@localhost:8080"); } @ParameterizedTest(name = "key = {0}") From 388068cdffee8bb197bc0ebeeb9e79245c8fe6eb Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 26 Jul 2021 11:13:58 +0100 Subject: [PATCH 2/2] Polish "Sanitize URIs with non-alpha characters in their schemes" See gh-27482 --- .../boot/actuate/endpoint/Sanitizer.java | 5 +++-- .../boot/actuate/endpoint/SanitizerTests.java | 14 +++++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java index d6956b337a..3dd5451cf2 100644 --- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java +++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2020 the original author or authors. + * Copyright 2012-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -50,7 +50,8 @@ public class Sanitizer { private static final Set URI_USERINFO_KEYS = new LinkedHashSet<>( Arrays.asList("uri", "uris", "address", "addresses")); - private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("^[A-Za-z][A-Za-z0-9\\+\\.\\-]+://.+:(.*)@.+$"); + private static final Pattern URI_USERINFO_PATTERN = Pattern + .compile("^\\[?[A-Za-z][A-Za-z0-9\\+\\.\\-]+://.+:(.*)@.+$"); private Pattern[] keysToSanitize; diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java index 4da21fe1d3..10bc768747 100644 --- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java +++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2020 the original author or authors. + * Copyright 2012-2021 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,8 +52,16 @@ class SanitizerTests { @MethodSource("matchingUriUserInfoKeys") void uriWithSingleValueWithPasswordShouldBeSanitized(String key) { Sanitizer sanitizer = new Sanitizer(); - assertThat(sanitizer.sanitize(key, "view-source://user:password@localhost:8080")) - .isEqualTo("view-source://user:******@localhost:8080"); + assertThat(sanitizer.sanitize(key, "http://user:password@localhost:8080")) + .isEqualTo("http://user:******@localhost:8080"); + } + + @ParameterizedTest(name = "key = {0}") + @MethodSource("matchingUriUserInfoKeys") + void uriWithNonAlphaSchemeCharactersAndSingleValueWithPasswordShouldBeSanitized(String key) { + Sanitizer sanitizer = new Sanitizer(); + assertThat(sanitizer.sanitize(key, "s-ch3m.+-e://user:password@localhost:8080")) + .isEqualTo("s-ch3m.+-e://user:******@localhost:8080"); } @ParameterizedTest(name = "key = {0}")