Merge pull request #19999 from bono007

* pr/19999:
  Polish contribution
  Add 'uris', 'address' and 'addresses' to keys to sanitize.

Closes gh-19999

Author: mbhave

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,8 +16,12 @@
 
 package org.springframework.boot.actuate.endpoint;
 
+import java.util.Arrays;
+import java.util.LinkedHashSet;
+import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
@@ -32,18 +36,29 @@
  * @author Nicolas Lejeune
  * @author Stephane Nicoll
  * @author HaiTao Zhang
+ * @author Chris Bono
  * @since 2.0.0
  */
 public class Sanitizer {
 
 	private static final String[] REGEX_PARTS = { "*", "$", "^", "+" };
 
+	private static final Set<String> DEFAULT_KEYS_TO_SANITIZE = new LinkedHashSet<>(Arrays.asList("password", "secret",
+			"key", "token", ".*credentials.*", "vcap_services", "sun.java.command"));
+
+	private static final Set<String> URI_USERINFO_KEYS = new LinkedHashSet<>(
+			Arrays.asList("uri", "uris", "address", "addresses"));
+
 	private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("[A-Za-z]+://.+:(.*)@.+$");
 
 	private Pattern[] keysToSanitize;
 
+	static {
+		DEFAULT_KEYS_TO_SANITIZE.addAll(URI_USERINFO_KEYS);
+	}
+
 	public Sanitizer() {
-		this("password", "secret", "key", "token", ".*credentials.*", "vcap_services", "sun.java.command", "uri");
+		this(DEFAULT_KEYS_TO_SANITIZE.toArray(new String[0]));
 	}
 
 	public Sanitizer(String... keysToSanitize) {
@@ -91,21 +106,33 @@ public Object sanitize(String key, Object value) {
 		}
 		for (Pattern pattern : this.keysToSanitize) {
 			if (pattern.matcher(key).matches()) {
-				if (pattern.matcher("uri").matches()) {
-					return sanitizeUri(value);
+				if (keyIsUriWithUserInfo(pattern)) {
+					return sanitizeUris(value.toString());
 				}
 				return "******";
 			}
 		}
 		return value;
 	}
 
-	private Object sanitizeUri(Object value) {
-		String uriString = value.toString();
-		Matcher matcher = URI_USERINFO_PATTERN.matcher(uriString);
+	private boolean keyIsUriWithUserInfo(Pattern pattern) {
+		for (String uriKey : URI_USERINFO_KEYS) {
+			if (pattern.matcher(uriKey).matches()) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	private Object sanitizeUris(String value) {
+		return Arrays.stream(value.split(",")).map(this::sanitizeUri).collect(Collectors.joining(","));
+	}
+
+	private String sanitizeUri(String value) {
+		Matcher matcher = URI_USERINFO_PATTERN.matcher(value);
 		String password = matcher.matches() ? matcher.group(1) : null;
 		if (password != null) {
-			return StringUtils.replace(uriString, ":" + password + "@", ":******@");
+			return StringUtils.replace(value, ":" + password + "@", ":******@");
 		}
 		return value;
 	}

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,6 +51,7 @@
  * @author Andy Wilkinson
  * @author Stephane Nicoll
  * @author HaiTao Zhang
+ * @author Chris Bono
  */
 class ConfigurationPropertiesReportEndpointTests {
 
@@ -170,19 +171,26 @@ void sanitizeWithCustomPatternUsingCompositeKeys() {
 	}
 
 	@Test
-	void sanitizedUriWithSensitiveInfo() {
+	void sanitizeUriWithSensitiveInfo() {
 		this.contextRunner.withUserConfiguration(SensiblePropertiesConfiguration.class)
 				.run(assertProperties("sensible", (properties) -> assertThat(properties.get("sensitiveUri"))
 						.isEqualTo("http://user:******@localhost:8080")));
 	}
 
 	@Test
-	void sanitizedUriWithNoPassword() {
+	void sanitizeUriWithNoPassword() {
 		this.contextRunner.withUserConfiguration(SensiblePropertiesConfiguration.class)
 				.run(assertProperties("sensible", (properties) -> assertThat(properties.get("noPasswordUri"))
 						.isEqualTo("http://user:******@localhost:8080")));
 	}
 
+	@Test
+	void sanitizeAddressesFieldContainingMultipleRawSensitiveUris() {
+		this.contextRunner.withUserConfiguration(SensiblePropertiesConfiguration.class)
+				.run(assertProperties("sensible", (properties) -> assertThat(properties.get("rawSensitiveAddresses"))
+						.isEqualTo("http://user:******@localhost:8080,http://user2:******@localhost:8082")));
+	}
+
 	@Test
 	void sanitizeLists() {
 		this.contextRunner.withUserConfiguration(SensiblePropertiesConfiguration.class)
@@ -574,6 +582,8 @@ public static class SensibleProperties {
 
 		private URI noPasswordUri = URI.create("http://user:@localhost:8080");
 
+		private String rawSensitiveAddresses = "http://user:password@localhost:8080,http://user2:password2@localhost:8082";
+
 		private List<ListItem> listItems = new ArrayList<>();
 
 		private List<List<ListItem>> listOfListItems = new ArrayList<>();
@@ -599,6 +609,14 @@ public URI getNoPasswordUri() {
 			return this.noPasswordUri;
 		}
 
+		public String getRawSensitiveAddresses() {
+			return this.rawSensitiveAddresses;
+		}
+
+		public void setRawSensitiveAddresses(final String rawSensitiveAddresses) {
+			this.rawSensitiveAddresses = rawSensitiveAddresses;
+		}
+
 		public List<ListItem> getListItems() {
 			return this.listItems;
 		}

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,11 @@
 
 package org.springframework.boot.actuate.endpoint;
 
+import java.util.stream.Stream;
+
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -25,11 +29,12 @@
  *
  * @author Phillip Webb
  * @author Stephane Nicoll
+ * @author Chris Bono
  */
 class SanitizerTests {
 
 	@Test
-	void defaults() {
+	void defaultNonUriKeys() {
 		Sanitizer sanitizer = new Sanitizer();
 		assertThat(sanitizer.sanitize("password", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("my-password", "secret")).isEqualTo("******");
@@ -40,23 +45,71 @@ void defaults() {
 		assertThat(sanitizer.sanitize("sometoken", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("find", "secret")).isEqualTo("secret");
 		assertThat(sanitizer.sanitize("sun.java.command", "--spring.redis.password=pa55w0rd")).isEqualTo("******");
-		assertThat(sanitizer.sanitize("my.uri", "http://user:password@localhost:8080"))
+	}
+
+	@ParameterizedTest(name = "key = {0}")
+	@MethodSource("matchingUriUserInfoKeys")
+	void uriWithSingleValueWithPasswordShouldBeSanitized(String key) {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(sanitizer.sanitize(key, "http://user:password@localhost:8080"))
 				.isEqualTo("http://user:******@localhost:8080");
 	}
 
-	@Test
-	void uriWithNoPasswordShouldNotBeSanitized() {
+	@ParameterizedTest(name = "key = {0}")
+	@MethodSource("matchingUriUserInfoKeys")
+	void uriWithSingleValueWithNoPasswordShouldNotBeSanitized(String key) {
 		Sanitizer sanitizer = new Sanitizer();
-		assertThat(sanitizer.sanitize("my.uri", "http://localhost:8080")).isEqualTo("http://localhost:8080");
+		assertThat(sanitizer.sanitize(key, "http://localhost:8080")).isEqualTo("http://localhost:8080");
+		assertThat(sanitizer.sanitize(key, "http://user@localhost:8080")).isEqualTo("http://user@localhost:8080");
 	}
 
-	@Test
-	void uriWithPasswordMatchingOtherPartsOfString() {
+	@ParameterizedTest(name = "key = {0}")
+	@MethodSource("matchingUriUserInfoKeys")
+	void uriWithSingleValueWithPasswordMatchingOtherPartsOfStringShouldBeSanitized(String key) {
 		Sanitizer sanitizer = new Sanitizer();
-		assertThat(sanitizer.sanitize("my.uri", "http://user://@localhost:8080"))
+		assertThat(sanitizer.sanitize(key, "http://user://@localhost:8080"))
 				.isEqualTo("http://user:******@localhost:8080");
 	}
 
+	@ParameterizedTest(name = "key = {0}")
+	@MethodSource("matchingUriUserInfoKeys")
+	void uriWithMultipleValuesEachWithPasswordShouldHaveAllSanitized(String key) {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(
+				sanitizer.sanitize(key, "http://user1:password1@localhost:8080,http://user2:password2@localhost:8082"))
+						.isEqualTo("http://user1:******@localhost:8080,http://user2:******@localhost:8082");
+	}
+
+	@ParameterizedTest(name = "key = {0}")
+	@MethodSource("matchingUriUserInfoKeys")
+	void uriWithMultipleValuesNoneWithPasswordShouldHaveNoneSanitized(String key) {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(sanitizer.sanitize(key, "http://user@localhost:8080,http://localhost:8082"))
+				.isEqualTo("http://user@localhost:8080,http://localhost:8082");
+	}
+
+	@ParameterizedTest(name = "key = {0}")
+	@MethodSource("matchingUriUserInfoKeys")
+	void uriWithMultipleValuesSomeWithPasswordShouldHaveThoseSanitized(String key) {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(sanitizer.sanitize(key,
+				"http://user1:password1@localhost:8080,http://user2@localhost:8082,http://localhost:8083")).isEqualTo(
+						"http://user1:******@localhost:8080,http://user2@localhost:8082,http://localhost:8083");
+	}
+
+	@ParameterizedTest(name = "key = {0}")
+	@MethodSource("matchingUriUserInfoKeys")
+	void uriWithMultipleValuesWithPasswordMatchingOtherPartsOfStringShouldBeSanitized(String key) {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(sanitizer.sanitize(key, "http://user1://@localhost:8080,http://user2://@localhost:8082"))
+				.isEqualTo("http://user1:******@localhost:8080,http://user2:******@localhost:8082");
+	}
+
+	private static Stream<String> matchingUriUserInfoKeys() {
+		return Stream.of("uri", "my.uri", "myuri", "uris", "my.uris", "myuris", "address", "my.address", "myaddress",
+				"addresses", "my.addresses", "myaddresses");
+	}
+
 	@Test
 	void regex() {
 		Sanitizer sanitizer = new Sanitizer(".*lock.*");

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/env/EnvironmentEndpointTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,6 +50,7 @@
  * @author Madhura Bhave
  * @author Andy Wilkinson
  * @author HaiTao Zhang
+ * @author Chris Bono
  */
 class EnvironmentEndpointTests {
 
@@ -246,13 +247,25 @@ void multipleSourcesWithSameProperty() {
 	}
 
 	@Test
-	void uriPropertryWithSensitiveInfo() {
+	void uriPropertyWithSensitiveInfo() {
 		ConfigurableEnvironment environment = new StandardEnvironment();
 		TestPropertyValues.of("sensitive.uri=http://user:password@localhost:8080").applyTo(environment);
 		EnvironmentEntryDescriptor descriptor = new EnvironmentEndpoint(environment).environmentEntry("sensitive.uri");
 		assertThat(descriptor.getProperty().getValue()).isEqualTo("http://user:******@localhost:8080");
 	}
 
+	@Test
+	void addressesPropertyWithMultipleEntriesEachWithSensitiveInfo() {
+		ConfigurableEnvironment environment = new StandardEnvironment();
+		TestPropertyValues
+				.of("sensitive.addresses=http://user:password@localhost:8080,http://user2:password2@localhost:8082")
+				.applyTo(environment);
+		EnvironmentEntryDescriptor descriptor = new EnvironmentEndpoint(environment)
+				.environmentEntry("sensitive.addresses");
+		assertThat(descriptor.getProperty().getValue())
+				.isEqualTo("http://user:******@localhost:8080,http://user2:******@localhost:8082");
+	}
+
 	private static ConfigurableEnvironment emptyEnvironment() {
 		StandardEnvironment environment = new StandardEnvironment();
 		environment.getPropertySources().remove(StandardEnvironment.SYSTEM_ENVIRONMENT_PROPERTY_SOURCE_NAME);