Sanitize keys with 'token' by default

This commit updates `Sanitizer` to sanitize by default a key containing `token`. Closes gh-5462
2016-03-29 13:28:13 +02:00 · 2016-03-29 13:28:13 +02:00 · 928f2dfc91
parent 0c1dd1aac5
commit 928f2dfc91
4 changed files with 25 additions and 5 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java
@ -27,6 +27,7 @@ import org.springframework.util.Assert;
 * @author Toshiaki Maki
 * @author Phillip Webb
 * @author Nicolas Lejeune
+ * @author Stephane Nicoll
 */
 class Sanitizer {

@ -35,7 +36,7 @@ class Sanitizer {
 	private Pattern[] keysToSanitize;

 	Sanitizer() {
-		this("password", "secret", "key", ".*credentials.*", "vcap_services");
+		this("password", "secret", "key", "token", ".*credentials.*", "vcap_services");
 	}

 	Sanitizer(String... keysToSanitize) {
--- a/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
+++ b/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
@ -13,7 +13,15 @@
    "name": "endpoints.configprops.keys-to-sanitize",
    "type": "java.lang.String[]",
    "sourceType": "org.springframework.boot.actuate.endpoint.ConfigurationPropertiesReportEndpoint",
-    "description": "Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions."
+    "description": "Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.",
+    "defaultValue": [
+      "password",
+      "secret",
+      "key",
+      "token",
+      ".*credentials.*",
+      "vcap_services"
+    ]
  },
  {
    "name": "endpoints.configprops.path",
@ -29,7 +37,15 @@
    "name": "endpoints.env.keys-to-sanitize",
    "type": "java.lang.String[]",
    "sourceType": "org.springframework.boot.actuate.endpoint.EnvironmentEndpoint",
-    "description": "Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions."
+    "description": "Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.",
+    "defaultValue": [
+      "password",
+      "secret",
+      "key",
+      "token",
+      ".*credentials.*",
+      "vcap_services"
+    ]
  },
  {
    "name": "endpoints.info.path",
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java
@ -24,6 +24,7 @@ import static org.assertj.core.api.Assertions.assertThat;
 * Tests for {@link Sanitizer}.
 *
 * @author Phillip Webb
+ * @author Stephane Nicoll
 */
 public class SanitizerTests {

@ -35,6 +36,8 @@ public class SanitizerTests {
 		assertThat(sanitizer.sanitize("my-OTHER.paSSword", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("somesecret", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("somekey", "secret")).isEqualTo("******");
+		assertThat(sanitizer.sanitize("token", "secret")).isEqualTo("******");
+		assertThat(sanitizer.sanitize("sometoken", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("find", "secret")).isEqualTo("secret");
 	}

--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@ -847,7 +847,7 @@ content into your application; rather pick only the properties that you need.
 	endpoints.beans.sensitive= # Mark if the endpoint exposes sensitive information.
 	endpoints.configprops.enabled= # Enable the endpoint.
 	endpoints.configprops.id= # Endpoint identifier.
-	endpoints.configprops.keys-to-sanitize=password,secret,key,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.
+	endpoints.configprops.keys-to-sanitize=password,secret,key,token,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.
 	endpoints.configprops.path= # Endpoint path.
 	endpoints.configprops.sensitive= # Mark if the endpoint exposes sensitive information.
 	endpoints.docs.curies.enabled=false # Enable the curie generation.
@ -860,7 +860,7 @@ content into your application; rather pick only the properties that you need.
 	endpoints.dump.sensitive= # Mark if the endpoint exposes sensitive information.
 	endpoints.env.enabled= # Enable the endpoint.
 	endpoints.env.id= # Endpoint identifier.
-	endpoints.env.keys-to-sanitize=password,secret,key,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.
+	endpoints.env.keys-to-sanitize=password,secret,key,token,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.
 	endpoints.env.path= # Endpoint path.
 	endpoints.env.sensitive= # Mark if the endpoint exposes sensitive information.
 	endpoints.flyway.enabled= # Enable the endpoint.