Skip to content

EnvironmentEndpoint does not sanitize uri when password is directly present #17930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
htztomic opened this issue Aug 21, 2019 · 4 comments
Closed

EnvironmentEndpoint does not sanitize uri when password is directly present #17930

htztomic opened this issue Aug 21, 2019 · 4 comments
Labels
status: superseded An issue that has been superseded by another

Comments

@htztomic
Copy link
Contributor

The EnvironmentEndpoint does not sanitize the uri property when a placeholder is not present and the password is directly present. An example would be if the property value for the uri contains the exact password such as spring.data.mongodb.uri: mongodb://user:password@host1:27017. The password is not sanitized and therefore will be exposed.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 21, 2019
@wilkinsona
Copy link
Member

This is to be expected based on the current key-based approach to sanitising values in the endpoint. As the uri key isn't one that is sanitised by default, the value is left as-is. #8293 will improve this and I think this issue is a duplicate of that one. Have I misunderstood?

@mbhave
Copy link
Contributor

mbhave commented Aug 22, 2019

#8293 is for the /configprops endpoint so this felt like a separate issue. I think if password is one of the sanitized keys in the /env endpoint, we should probably also sanitize it if the uri contains a password? It's not the name of the key per se so I'm on the fence about this one.

@wilkinsona
Copy link
Member

Oops, thanks @mbhave. That's what I was missing. If we do it for the configprops endpoint then I think it makes sense to do it for the env endpoint too so that things are consistent.

@htztomic htztomic mentioned this issue Aug 22, 2019
Closed
htztomic added a commit to htztomic/spring-boot that referenced this issue Aug 22, 2019
@htztomic
fix to spring-projectsgh-8293 and spring-projectsgh-17930
d27c255
@mbhave
Copy link
Contributor

mbhave commented Aug 22, 2019

Closing in favor of #17939.

@mbhave mbhave closed this as completed Aug 22, 2019
@mbhave mbhave added status: superseded An issue that has been superseded by another and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: superseded An issue that has been superseded by another
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wilkinsona @mbhave @spring-projects-issues @htztomic