From b68b3737d77fa635944cb185b56996faa5c21b04 Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@vmware.com>
Date: Thu, 14 Oct 2021 12:22:57 -0700
Subject: [PATCH] Sanitize flattened VCAP_SERVICES properties

Update `Sanitizer` to also include flattened `vcap.services.*`
properties.

Fixes gh-28085
---
 .../org/springframework/boot/actuate/endpoint/Sanitizer.java  | 4 ++--
 .../springframework/boot/actuate/endpoint/SanitizerTests.java | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
index a031592ef9..40786375db 100644
--- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
+++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@@ -45,8 +45,8 @@ public class Sanitizer {
 	private static final String[] REGEX_PARTS = { "*", "$", "^", "+" };
 
 	private static final Set<String> DEFAULT_KEYS_TO_SANITIZE = new LinkedHashSet<>(
-			Arrays.asList("password", "secret", "key", "token", ".*credentials.*", "vcap_services", "sun.java.command",
-					"^spring[\\._]application[\\\\._]json$"));
+			Arrays.asList("password", "secret", "key", "token", ".*credentials.*", "vcap_services",
+					"^vcap\\.services.*$", "sun.java.command", "^spring[\\._]application[\\\\._]json$"));
 
 	private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>(
 			Arrays.asList("uri", "uris", "address", "addresses"));
diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
index 0d567da6c6..425bc70a93 100644
--- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
+++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@@ -48,6 +48,8 @@ class SanitizerTests {
 		assertThat(sanitizer.sanitize("sun.java.command", "--spring.redis.password=pa55w0rd")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("SPRING_APPLICATION_JSON", "{password:123}")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("spring.application.json", "{password:123}")).isEqualTo("******");
+		assertThat(sanitizer.sanitize("VCAP_SERVICES", "{json}")).isEqualTo("******");
+		assertThat(sanitizer.sanitize("vcap.services.db.codeword", "secret")).isEqualTo("******");
 	}
 
 	@ParameterizedTest(name = "key = {0}")