sanitize by default a key containing uri or url.

[making]

Spring Boot apps in Cloud foundry often expose credentials as the property whose key ends with url or uri as follows:

I hope those are hidden by default.

[snicoll]

That seems a bit agressive to me. I'd rather have something that parse the url to detect that a password is specified and santize that. It could be either a standard user:pass in an HTTP url or some parameter with a well-defined name (i.e. password).

[making]

How does .*\\.connection\\..* sounds?

or .*\\.connection\\..*(uri|url)$

[snicoll]

I don't like it either.

You don't want to santize the full URL, do you? You want to sanitize the credentials only. Wondering what others think.

[joshiste]

You don't want to santize the full URL, do you? You want to sanitize the credentials only. Wondering what others think.

So how about making the Sanitizer exchangable so that custom implementations for the masking can be used?

[making]

@joshiste it's already customizable https://github.com/spring-projects/spring-boot/blob/v1.4.0.RELEASE/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpoint.java#L51-L53 .
I'd like to mask it by default. Because CF users often make password public without realizing it.
Actually, VCAP_SERVICES and .*credentials.* are hidden by default. It's nice but not enough.

[joshiste]

it's already customizable

Only the list of the regexes, but the Sanitizer implementation it self can't be exchanged.
And there is a open issue to alter the behaviour for Spring Cloud. Imho it would be reasonable to make the Sanitizer more customizable, so that other implementations can be chosen via (auto-)config (contributed by libs).

[making]

@joshiste Sounds nice!
I imagine following classes:

class Sanitizer {
  Sanitizer(SanitizePatterns patterns) {
   // ...
  }
}

class SanitizePatterns {
  private final List<SanitizePattern> patterns;
}

and auto-configuration

@Bean
@ConditionOnMissingBean
SanitizePatterns sanitizePatterns(List<SanitizePattern> patterns) {
  SanitizePatterns patterns = new SanitizePatterns("password", "secret", "key", "token", ".*credentials.*", "vcap_services");
  patterns.addAll(patterns);
  return patterns;
}

If a project want to mask other patterns, add

@Bean
SanitizerPattern myPattern() {
  return new SanitizerPattern("url");
}

[snicoll]

@joshiste please share that idea in a separate issue, thanks.

[philwebb]

Similar request in #6587

[snicoll]

Another example: spring.data.mongodb.uri

[snicoll]

Closing in favour of #6587 (and #11264). Thanks for the PR anyway @making!