diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java index 3dd5451cf2..a031592ef9 100644 --- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java +++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java @@ -44,8 +44,9 @@ public class Sanitizer { private static final String[] REGEX_PARTS = { "*", "$", "^", "+" }; - private static final Set DEFAULT_KEYS_TO_SANITIZE = new LinkedHashSet<>(Arrays.asList("password", "secret", - "key", "token", ".*credentials.*", "vcap_services", "sun.java.command")); + private static final Set DEFAULT_KEYS_TO_SANITIZE = new LinkedHashSet<>( + Arrays.asList("password", "secret", "key", "token", ".*credentials.*", "vcap_services", "sun.java.command", + "^spring[\\._]application[\\\\._]json$")); private static final Set URI_USERINFO_KEYS = new LinkedHashSet<>( Arrays.asList("uri", "uris", "address", "addresses")); diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java index 10bc768747..0d567da6c6 100644 --- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java +++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java @@ -46,6 +46,8 @@ class SanitizerTests { assertThat(sanitizer.sanitize("sometoken", "secret")).isEqualTo("******"); assertThat(sanitizer.sanitize("find", "secret")).isEqualTo("secret"); assertThat(sanitizer.sanitize("sun.java.command", "--spring.redis.password=pa55w0rd")).isEqualTo("******"); + assertThat(sanitizer.sanitize("SPRING_APPLICATION_JSON", "{password:123}")).isEqualTo("******"); + assertThat(sanitizer.sanitize("spring.application.json", "{password:123}")).isEqualTo("******"); } @ParameterizedTest(name = "key = {0}")