EnvironmentEndpoint does not sanitize uri when password is directly present

[htztomic]

The EnvironmentEndpoint does not sanitize the uri property when a placeholder is not present and the password is directly present. An example would be if the property value for the uri contains the exact password such as spring.data.mongodb.uri: mongodb://user:password@host1:27017. The password is not sanitized and therefore will be exposed.

[wilkinsona]

This is to be expected based on the current key-based approach to sanitising values in the endpoint. As the uri key isn't one that is sanitised by default, the value is left as-is. #8293 will improve this and I think this issue is a duplicate of that one. Have I misunderstood?

[mbhave]

#8293 is for the /configprops endpoint so this felt like a separate issue. I think if password is one of the sanitized keys in the /env endpoint, we should probably also sanitize it if the uri contains a password? It's not the name of the key per se so I'm on the fence about this one.

[wilkinsona]

Oops, thanks @mbhave. That's what I was missing. If we do it for the configprops endpoint then I think it makes sense to do it for the env endpoint too so that things are consistent.

[mbhave]

Closing in favor of #17939.