Sanitize configuration properties that are nested beneath a List

Closes gh-8197

Sanitize configuration properties that are nested beneath a List
Closes gh-8197
f27bb39a · Andy Wilkinson · 05dbc15a · f27bb39a · f27bb39a
Commit f27bb39a authored Feb 08, 2017 by Andy Wilkinson
2 changed files
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/ConfigurationPropertiesReportEndpoint.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/ConfigurationPropertiesReportEndpoint.java
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2017 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -239,6 +239,9 @@ public class ConfigurationPropertiesReportEndpoint
 			if (value instanceof Map) {
 				map.put(key, sanitize(qualifiedKey, (Map<String, Object>) value));
 			}
+			else if (value instanceof List) {
+				map.put(key, sanitize(qualifiedKey, (List<Object>) value));
+			}
 			else {
 				value = this.sanitizer.sanitize(key, value);
 				value = this.sanitizer.sanitize(qualifiedKey, value);
@@ -248,6 +251,24 @@ public class ConfigurationPropertiesReportEndpoint
 		return map;
 	}
+	@SuppressWarnings("unchecked")
+	private List<Object> sanitize(String prefix, List<Object> list) {
+		List<Object> sanitized = new ArrayList<Object>();
+		for (Object item : list) {
+			if (item instanceof Map) {
+				sanitized.add(sanitize(prefix, (Map<String, Object>) item));
+			}
+			else if (item instanceof List) {
+				sanitize(prefix, (List<Object>) item);
+			}
+			else {
+				item = this.sanitizer.sanitize(prefix, item);
+				sanitized.add(this.sanitizer.sanitize(prefix, item));
+			}
+		}
+		return sanitized;
+	}
 	/**
 	 * Extension to {@link JacksonAnnotationIntrospector} to suppress CGLIB generated bean
 	 * properties.

--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/ConfigurationPropertiesReportEndpointTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/ConfigurationPropertiesReportEndpointTests.java
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2017 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -16,7 +16,9 @@
 package org.springframework.boot.actuate.endpoint;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import org.junit.Test;
@@ -85,6 +87,19 @@ public class ConfigurationPropertiesReportEndpointTests
 		assertThat(nestedProperties.get("myTestProperty")).isEqualTo("******");
 	}
+	@Test
+	@SuppressWarnings("unchecked")
+	public void testKeySanitizationWithList() throws Exception {
+		ConfigurationPropertiesReportEndpoint report = getEndpointBean();
+		report.setKeysToSanitize("property");
+		Map<String, Object> properties = report.invoke();
+		Map<String, Object> nestedProperties = (Map<String, Object>) ((Map<String, Object>) properties
+				.get("testProperties")).get("properties");
+		assertThat(nestedProperties).isNotNull();
+		assertThat(nestedProperties.get("dbPassword")).isEqualTo("123456");
+		assertThat(nestedProperties.get("myTestProperty")).isEqualTo("******");
+	}
 	@SuppressWarnings("unchecked")
 	@Test
 	public void testKeySanitizationWithCustomPattern() throws Exception {
@@ -183,6 +198,20 @@ public class ConfigurationPropertiesReportEndpointTests
 		assertThat(nestedProperties.get("mixedBoolean")).isEqualTo(true);
 	}
+	@Test
+	@SuppressWarnings("unchecked")
+	public void listsAreSanitized() throws Exception {
+		ConfigurationPropertiesReportEndpoint report = getEndpointBean();
+		Map<String, Object> properties = report.invoke();
+		Map<String, Object> nestedProperties = (Map<String, Object>) ((Map<String, Object>) properties
+				.get("testProperties")).get("properties");
+		assertThat(nestedProperties.get("listItems")).isInstanceOf(List.class);
+		List<Object> list = (List<Object>) nestedProperties.get("listItems");
+		assertThat(list).hasSize(1);
+		Map<String, Object> item = (Map<String, Object>) list.get(0);
+		assertThat(item.get("somePassword")).isEqualTo("******");
+	}
 	@Configuration
 	@EnableConfigurationProperties
 	public static class Parent {
@@ -223,9 +252,12 @@ public class ConfigurationPropertiesReportEndpointTests
 		private Hidden hidden = new Hidden();
+		private List<ListItem> listItems = new ArrayList<ListItem>();
 		public TestProperties() {
 			this.secrets.put("mine", "myPrivateThing");
 			this.secrets.put("yours", "yourPrivateThing");
+			this.listItems.add(new ListItem());
 		}
 		public String getDbPassword() {
@@ -268,6 +300,14 @@ public class ConfigurationPropertiesReportEndpointTests
 			this.hidden = hidden;
 		}
+		public List<ListItem> getListItems() {
+			return this.listItems;
+		}
+		public void setListItems(List<ListItem> listItems) {
+			this.listItems = listItems;
+		}
 		public static class Hidden {
 			private String mine = "mySecret";
@@ -282,6 +322,20 @@ public class ConfigurationPropertiesReportEndpointTests
 		}
+		public static class ListItem {
+			private String somePassword = "secret";
+			public String getSomePassword() {
+				return this.somePassword;
+			}
+			public void setSomePassword(String somePassword) {
+				this.somePassword = somePassword;
+			}
+		}
 	}
 }