Polish "Sanitize password in URI properties"

See gh-17939
5 years ago · 7829593746
parent d49a2ec98e
commit 7829593746
3 changed files with 21 additions and 13 deletions
--- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
+++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@ -16,7 +16,7 @@

 package org.springframework.boot.actuate.endpoint;

-import java.net.URI;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;

 import org.springframework.util.Assert;
@ -38,6 +38,8 @@ public class Sanitizer {

 	private static final String[] REGEX_PARTS = { "*", "$", "^", "+" };

+	private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("[A-Za-z]+://.+:(.*)@.+$");
+
 	private Pattern[] keysToSanitize;

 	public Sanitizer() {
@ -99,17 +101,10 @@ public class Sanitizer {
 	}

 	private Object sanitizeUri(Object value) {
-		URI uri = URI.create(value.toString());
-		String userInfo = uri.getUserInfo();
-		if (!StringUtils.hasText(userInfo) || userInfo.split(":").length == 0) {
-			return value;
-		}
-		String[] parts = userInfo.split(":");
-		String userName = parts[0];
-		if (StringUtils.hasText(userName)) {
-			String sanitizedPassword = "******";
-			return uri.getScheme() + "://" + userName + ":" + sanitizedPassword + "@" + uri.getHost() + ":"
-					+ uri.getPort() + uri.getPath();
+		Matcher matcher = URI_USERINFO_PATTERN.matcher(value.toString());
+		String password = matcher.matches() ? matcher.group(1) : null;
+		if (password != null) {
+			return StringUtils.replace(value.toString(), ":" + password + "@", ":******@");
 		}
 		return value;
 	}
--- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java
+++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java
@ -286,7 +286,7 @@ class ConfigurationPropertiesReportEndpointTests {

 		private URI sensitiveUri = URI.create("http://user:password@localhost:8080");

-		private URI noPasswordUri = URI.create("http://user:p@localhost:8080");
+		private URI noPasswordUri = URI.create("http://user:@localhost:8080");

 		TestProperties() {
 			this.secrets.put("mine", "myPrivateThing");
--- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
+++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@ -44,6 +44,19 @@ class SanitizerTests {
 				.isEqualTo("http://user:******@localhost:8080");
 	}

+	@Test
+	void uriWithNoPasswordShouldNotBeSanitized() {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(sanitizer.sanitize("my.uri", "http://localhost:8080")).isEqualTo("http://localhost:8080");
+	}
+
+	@Test
+	void uriWithPasswordMatchingOtherPartsOfString() {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(sanitizer.sanitize("my.uri", "http://user://@localhost:8080"))
+				.isEqualTo("http://user:******@localhost:8080");
+	}
+
 	@Test
 	void regex() {
 		Sanitizer sanitizer = new Sanitizer(".*lock.*");