From 7829593746070a9782413e63e1da7c5f08991db3 Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Fri, 23 Aug 2019 18:09:48 -0700 Subject: [PATCH] Polish "Sanitize password in URI properties" See gh-17939 --- .../boot/actuate/endpoint/Sanitizer.java | 19 +++++++------------ ...gurationPropertiesReportEndpointTests.java | 2 +- .../boot/actuate/endpoint/SanitizerTests.java | 13 +++++++++++++ 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java index ffab6c7fe8..6a72d25d8c 100644 --- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java +++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java @@ -16,7 +16,7 @@ package org.springframework.boot.actuate.endpoint; -import java.net.URI; +import java.util.regex.Matcher; import java.util.regex.Pattern; import org.springframework.util.Assert; @@ -38,6 +38,8 @@ public class Sanitizer { private static final String[] REGEX_PARTS = { "*", "$", "^", "+" }; + private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("[A-Za-z]+://.+:(.*)@.+$"); + private Pattern[] keysToSanitize; public Sanitizer() { @@ -99,17 +101,10 @@ public class Sanitizer { } private Object sanitizeUri(Object value) { - URI uri = URI.create(value.toString()); - String userInfo = uri.getUserInfo(); - if (!StringUtils.hasText(userInfo) || userInfo.split(":").length == 0) { - return value; - } - String[] parts = userInfo.split(":"); - String userName = parts[0]; - if (StringUtils.hasText(userName)) { - String sanitizedPassword = "******"; - return uri.getScheme() + "://" + userName + ":" + sanitizedPassword + "@" + uri.getHost() + ":" - + uri.getPort() + uri.getPath(); + Matcher matcher = URI_USERINFO_PATTERN.matcher(value.toString()); + String password = matcher.matches() ? matcher.group(1) : null; + if (password != null) { + return StringUtils.replace(value.toString(), ":" + password + "@", ":******@"); } return value; } diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java index 7e15053f94..cd9e316bf5 100644 --- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java +++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java @@ -286,7 +286,7 @@ class ConfigurationPropertiesReportEndpointTests { private URI sensitiveUri = URI.create("http://user:password@localhost:8080"); - private URI noPasswordUri = URI.create("http://user:p@localhost:8080"); + private URI noPasswordUri = URI.create("http://user:@localhost:8080"); TestProperties() { this.secrets.put("mine", "myPrivateThing"); diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java index 62ef9447d0..deeab48b57 100644 --- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java +++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java @@ -44,6 +44,19 @@ class SanitizerTests { .isEqualTo("http://user:******@localhost:8080"); } + @Test + void uriWithNoPasswordShouldNotBeSanitized() { + Sanitizer sanitizer = new Sanitizer(); + assertThat(sanitizer.sanitize("my.uri", "http://localhost:8080")).isEqualTo("http://localhost:8080"); + } + + @Test + void uriWithPasswordMatchingOtherPartsOfString() { + Sanitizer sanitizer = new Sanitizer(); + assertThat(sanitizer.sanitize("my.uri", "http://user://@localhost:8080")) + .isEqualTo("http://user:******@localhost:8080"); + } + @Test void regex() { Sanitizer sanitizer = new Sanitizer(".*lock.*");