Sanitize sensitive portion of the value of url and urls keys

Closes spring-projectsgh-25387
mbenson · Feb 24, 2021 · 10ef991 · 10ef991
1 parent e3ad6b5
commit 10ef991
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 6 deletions.
diff --git a/...ring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java b/...ring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -48,7 +48,7 @@ public class Sanitizer {
 			"key", "token", ".*credentials.*", "vcap_services", "sun.java.command"));
 
 	private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>(
-			Arrays.asList("uri", "uris", "address", "addresses"));
+			Arrays.asList("uri", "uris", "url", "urls", "address", "addresses"));
 
 	private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("\\[?[A-Za-z]+://.+:(.*)@.+$");
 

diff --git a/...boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java b/...boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -123,8 +123,8 @@ void uriKeyWithUserProvidedListLiteralShouldBeSanitized(String key) {
 	}
 
 	private static Stream<String> matchingUriUserInfoKeys() {
-		return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "address", "my.address", "myaddress",
-				"addresses", "my.addresses", "myaddresses");
+		return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "url", "my.url", "myurl", "urls",
+				"my.urls", "myurls", "address", "my.address", "myaddress", "addresses", "my.addresses", "myaddresses");
 	}
 
 	@Test

diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto.adoc
@@ -2340,7 +2340,15 @@ The patterns to use can be customized using the `management.endpoint.env.keys-to
 Spring Boot uses sensible defaults for such keys: any key ending with the word "password", "secret", "key", "token", "vcap_services", "sun.java.command" is entirely sanitized.
 Additionally, any key that holds the word `credentials` as part of the key is sanitized (configured as a regular expression, i.e. `+*credentials.*+`).
 
-Furthermore, Spring Boot only sanitizes the sensitive portion of URIs for keys which end with "uri", "uris", "address", or "addresses".
+Furthermore, Spring Boot only sanitizes the sensitive portion of URI-like values for keys with one of the following endings:
+
+- `address`
+- `addresses`
+- `uri`
+- `uris`
+- `url`
+- `urls`
+
 The sensitive portion of the URI is identified using the format `<scheme>://<username>:<password>@<host>:<port>/`.
 For example, for the property `myclient.uri=http://user1:password1@localhost:8081`, the resulting sanitized value is
 `++http://user1:******@localhost:8081++`.