From cd0e4fe945a457d5249df3ad2c0838878e232a46 Mon Sep 17 00:00:00 2001
From: Andy Wilkinson <awilkinson@pivotal.io>
Date: Mon, 9 Apr 2018 16:32:16 +0100
Subject: [PATCH] Sanitize sun.java.command by default

Closes gh-12796
---
 .../springframework/boot/actuate/endpoint/Sanitizer.java    | 5 +++--
 .../META-INF/additional-spring-configuration-metadata.json  | 6 ++++--
 .../boot/actuate/endpoint/EnvironmentEndpointTests.java     | 6 +++++-
 .../boot/actuate/endpoint/SanitizerTests.java               | 4 +++-
 4 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
index bf8e5e22ebd..8565ad1cf58 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,8 @@ class Sanitizer {
 	private Pattern[] keysToSanitize;
 
 	Sanitizer() {
-		this("password", "secret", "key", "token", ".*credentials.*", "vcap_services");
+		this("password", "secret", "key", "token", ".*credentials.*", "vcap_services",
+				"sun.java.command");
 	}
 
 	Sanitizer(String... keysToSanitize) {
diff --git a/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json b/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
index 5c0b2639df3..79a26391099 100644
--- a/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
+++ b/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
@@ -20,7 +20,8 @@
       "key",
       "token",
       ".*credentials.*",
-      "vcap_services"
+      "vcap_services",
+      "sun.java.command"
     ]
   },
   {
@@ -44,7 +45,8 @@
       "key",
       "token",
       ".*credentials.*",
-      "vcap_services"
+      "vcap_services",
+      "sun.java.command"
     ]
   },
   {
diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java
index 807bcb8f9d5..4aa126014c4 100644
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -92,6 +92,10 @@ public class EnvironmentEndpointTests extends AbstractEndpointTests<EnvironmentE
 		assertThat(systemProperties.get("mySecret")).isEqualTo("******");
 		assertThat(systemProperties.get("myCredentials")).isEqualTo("******");
 		assertThat(systemProperties.get("VCAP_SERVICES")).isEqualTo("******");
+		Object command = systemProperties.get("sun.java.command");
+		if (command != null) {
+			assertThat(command).isEqualTo("******");
+		}
 		clearSystemProperties("dbPassword", "apiKey", "mySecret", "myCredentials");
 	}
 
diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
index 7b36aee9487..09031f45974 100644
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,6 +39,8 @@ public class SanitizerTests {
 		assertThat(sanitizer.sanitize("token", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("sometoken", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("find", "secret")).isEqualTo("secret");
+		assertThat(sanitizer.sanitize("sun.java.command",
+				"--spring.redis.password=pa55w0rd")).isEqualTo("******");
 	}
 
 	@Test