Polish "Sanitize password in URI properties"

mbhave · mbhave · commit 782959374607 · 2019-08-23T18:16:46.000-07:00
See gh-17939
diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@@ -16,7 +16,7 @@
 
 package org.springframework.boot.actuate.endpoint;
 
-import java.net.URI;
+import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import org.springframework.util.Assert;
@@ -38,6 +38,8 @@ public class Sanitizer {
 
 	private static final String[] REGEX_PARTS = { "*", "$", "^", "+" };
 
+	private static final Pattern URI_USERINFO_PATTERN = Pattern.compile("[A-Za-z]+://.+:(.*)@.+$");
+
 	private Pattern[] keysToSanitize;
 
 	public Sanitizer() {
@@ -99,17 +101,10 @@ public Object sanitize(String key, Object value) {
 	}
 
 	private Object sanitizeUri(Object value) {
-		URI uri = URI.create(value.toString());
-		String userInfo = uri.getUserInfo();
-		if (!StringUtils.hasText(userInfo) || userInfo.split(":").length == 0) {
-			return value;
-		}
-		String[] parts = userInfo.split(":");
-		String userName = parts[0];
-		if (StringUtils.hasText(userName)) {
-			String sanitizedPassword = "******";
-			return uri.getScheme() + "://" + userName + ":" + sanitizedPassword + "@" + uri.getHost() + ":"
-					+ uri.getPort() + uri.getPath();
+		Matcher matcher = URI_USERINFO_PATTERN.matcher(value.toString());
+		String password = matcher.matches() ? matcher.group(1) : null;
+		if (password != null) {
+			return StringUtils.replace(value.toString(), ":" + password + "@", ":******@");
 		}
 		return value;
 	}
diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/context/properties/ConfigurationPropertiesReportEndpointTests.java
@@ -286,7 +286,7 @@ public static class TestProperties {
 
 		private URI sensitiveUri = URI.create("http://user:password@localhost:8080");
 
-		private URI noPasswordUri = URI.create("http://user:p@localhost:8080");
+		private URI noPasswordUri = URI.create("http://user:@localhost:8080");
 
 		TestProperties() {
 			this.secrets.put("mine", "myPrivateThing");
diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@@ -44,6 +44,19 @@ void defaults() {
 				.isEqualTo("http://user:******@localhost:8080");
 	}
 
+	@Test
+	void uriWithNoPasswordShouldNotBeSanitized() {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(sanitizer.sanitize("my.uri", "http://localhost:8080")).isEqualTo("http://localhost:8080");
+	}
+
+	@Test
+	void uriWithPasswordMatchingOtherPartsOfString() {
+		Sanitizer sanitizer = new Sanitizer();
+		assertThat(sanitizer.sanitize("my.uri", "http://user://@localhost:8080"))
+				.isEqualTo("http://user:******@localhost:8080");
+	}
+
 	@Test
 	void regex() {
 		Sanitizer sanitizer = new Sanitizer(".*lock.*");
