Sanitize URIs with non-alpha characters in their schemes

See gh-27482
2024-08-29 03:06:45 +08:00 · 2021-07-23 15:10:29 -04:00 · 2021-07-23 15:10:29 -04:00 · bafa9c4784
commit bafa9c4784
parent cff1827e27
2 changed files with 3 additions and 3 deletions
--- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
+++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@ -50,7 +50,7 @@ public class Sanitizer {
 	private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>(
 			Arrays.asList("uri", "uris", "address", "addresses"));

-	private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("\\[?[A-Za-z]+://.+:(.*)@.+$");
+	private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("^[A-Za-z][A-Za-z0-9\\+\\.\\-]+://.+:(.*)@.+$");

 	private Pattern[] keysToSanitize;

--- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
+++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@ -52,8 +52,8 @@ class SanitizerTests {
 	@MethodSource("matchingUriUserInfoKeys")
 	void uriWithSingleValueWithPasswordShouldBeSanitized(String key) {
 		Sanitizer sanitizer = new Sanitizer();
-		assertThat(sanitizer.sanitize(key, "http://user:password@localhost:8080"))
-				.isEqualTo("http://user:******@localhost:8080");
+		assertThat(sanitizer.sanitize(key, "view-source://user:password@localhost:8080"))
+				.isEqualTo("view-source://user:******@localhost:8080");
 	}

 	@ParameterizedTest(name = "key = {0}")