Sanitize sun.java.command by default

Closes gh-12796
2024-07-15 01:07:30 +08:00 · 2018-04-09 16:32:16 +01:00 · 2018-04-09 16:32:16 +01:00 · cd0e4fe945
commit cd0e4fe945
parent a06de4d997
4 changed files with 15 additions and 6 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -36,7 +36,8 @@ class Sanitizer {
 	private Pattern[] keysToSanitize;

 	Sanitizer() {
-		this("password", "secret", "key", "token", ".*credentials.*", "vcap_services");
+		this("password", "secret", "key", "token", ".*credentials.*", "vcap_services",
+				"sun.java.command");
 	}

 	Sanitizer(String... keysToSanitize) {
--- a/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
+++ b/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
@ -20,7 +20,8 @@
      "key",
      "token",
      ".*credentials.*",
-      "vcap_services"
+      "vcap_services",
+      "sun.java.command"
    ]
  },
  {
@ -44,7 +45,8 @@
      "key",
      "token",
      ".*credentials.*",
-      "vcap_services"
+      "vcap_services",
+      "sun.java.command"
    ]
  },
  {
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -92,6 +92,10 @@ public class EnvironmentEndpointTests extends AbstractEndpointTests<EnvironmentE
 		assertThat(systemProperties.get("mySecret")).isEqualTo("******");
 		assertThat(systemProperties.get("myCredentials")).isEqualTo("******");
 		assertThat(systemProperties.get("VCAP_SERVICES")).isEqualTo("******");
+		Object command = systemProperties.get("sun.java.command");
+		if (command != null) {
+			assertThat(command).isEqualTo("******");
+		}
 		clearSystemProperties("dbPassword", "apiKey", "mySecret", "myCredentials");
 	}

--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -39,6 +39,8 @@ public class SanitizerTests {
 		assertThat(sanitizer.sanitize("token", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("sometoken", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("find", "secret")).isEqualTo("secret");
+		assertThat(sanitizer.sanitize("sun.java.command",
+				"--spring.redis.password=pa55w0rd")).isEqualTo("******");
 	}

 	@Test