Improve sanitization for list of URI types

Prior to this commit, Actuator would sanitize properties values when
serializing them on the dedicated endpoint. Keys like "password" or
"secret" are entirely sanitized, but other keys like "uri" or "address"
are considered as URI types and only the password part of the user info
is sanitized.

This commit fixes the sanitization process where lists of such URI types
would not match the first entries of the list since they're starting
with `'['`. This commit improves the regexp matching process to sanitize
all URIs within a collection.

The documentation is also updated to better underline the processing
difference between complete sanitization and selective sanitization for
URIs.

Fixes gh-23037
pull/23445/head
David Good 4 years ago committed by Brian Clozel
parent e4691a4c61
commit 775f0fa861

@ -37,6 +37,7 @@ import org.springframework.util.StringUtils;
* @author Stephane Nicoll * @author Stephane Nicoll
* @author HaiTao Zhang * @author HaiTao Zhang
* @author Chris Bono * @author Chris Bono
* @author David Good
* @since 2.0.0 * @since 2.0.0
*/ */
public class Sanitizer { public class Sanitizer {
@ -49,7 +50,7 @@ public class Sanitizer {
private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>( private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>(
Arrays.asList("uri", "uris", "address", "addresses")); Arrays.asList("uri", "uris", "address", "addresses"));
private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("[A-Za-z]+://.+:(.*)@.+$"); private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("\\[?[A-Za-z]+://.+:(.*)@.+$");
private Pattern[] keysToSanitize; private Pattern[] keysToSanitize;

@ -30,6 +30,7 @@ import static org.assertj.core.api.Assertions.assertThat;
* @author Phillip Webb * @author Phillip Webb
* @author Stephane Nicoll * @author Stephane Nicoll
* @author Chris Bono * @author Chris Bono
* @author David Good
*/ */
class SanitizerTests { class SanitizerTests {
@ -105,6 +106,22 @@ class SanitizerTests {
.isEqualTo("http://user1:******@localhost:8080,http://user2:******@localhost:8082"); .isEqualTo("http://user1:******@localhost:8080,http://user2:******@localhost:8082");
} }
@ParameterizedTest(name = "key = {0}")
@MethodSource("matchingUriUserInfoKeys")
void uriKeyWithUserProvidedListLiteralShouldBeSanitized(String key) {
Sanitizer sanitizer = new Sanitizer();
assertThat(sanitizer.sanitize(key, "[amqp://username:password@host/]"))
.isEqualTo("[amqp://username:******@host/]");
assertThat(sanitizer.sanitize(key,
"[http://user1:password1@localhost:8080,http://user2@localhost:8082,http://localhost:8083]")).isEqualTo(
"[http://user1:******@localhost:8080,http://user2@localhost:8082,http://localhost:8083]");
assertThat(sanitizer.sanitize(key,
"[http://user1:password1@localhost:8080,http://user2:password2@localhost:8082]"))
.isEqualTo("[http://user1:******@localhost:8080,http://user2:******@localhost:8082]");
assertThat(sanitizer.sanitize(key, "[http://user1@localhost:8080,http://user2@localhost:8082]"))
.isEqualTo("[http://user1@localhost:8080,http://user2@localhost:8082]");
}
private static Stream<String> matchingUriUserInfoKeys() { private static Stream<String> matchingUriUserInfoKeys() {
return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "address", "my.address", "myaddress", return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "address", "my.address", "myaddress",
"addresses", "my.addresses", "myaddresses"); "addresses", "my.addresses", "myaddresses");

@ -2227,10 +2227,13 @@ Information returned by the `env` and `configprops` endpoints can be somewhat se
The patterns to use can be customized using the `management.endpoint.env.keys-to-sanitize` and `management.endpoint.configprops.keys-to-sanitize` respectively. The patterns to use can be customized using the `management.endpoint.env.keys-to-sanitize` and `management.endpoint.configprops.keys-to-sanitize` respectively.
Spring Boot uses sensible defaults for such keys: any key ending with the word "password", "secret", "key", "token", "vcap_services", "sun.java.command", "uri", "uris", "address" or "addresses" is sanitized. Spring Boot uses sensible defaults for such keys: any key ending with the word "password", "secret", "key", "token", "vcap_services", "sun.java.command" is entirely sanitized.
Additionally, any key that holds the word `credentials` as part of the key is sanitized (configured as a regular expression, i.e. `+*credentials.*+`). Additionally, any key that holds the word `credentials` as part of the key is sanitized (configured as a regular expression, i.e. `+*credentials.*+`).
If any of the keys to sanitize are URI format (i.e. `<scheme>://<username>:<password>@<host>:<port>/`), only the password part is sanitized. Furthermore, Spring Boot only sanitizes the sensitive portion of URIs for keys which end with "uri", "uris", "address", or "addresses".
The sensitive portion of the URI is identified using the format `<scheme>://<username>:<password>@<host>:<port>/`.
For example, for the property `myclient.uri=http://user1:password1@localhost:8081`, the resulting sanitized value is
`++http://user1:******@localhost:8081++`.

Loading…
Cancel
Save