Hello,
I want to raise to your attention that the property SPRING_APPLICATION_JSON is present in the /env endpoint when used but the values are not sanitized.
There's a workaround available by declaring :
management:
env:
additional-keys-to-sanitize: SPRING_APPLICATION_JSON
But to my knowledge it is not documented anywhere.
Since it's a base functionality of Spring Boot, it seems at first glance that it should be either: * Completly removed from the /env endpoint (all values are loaded into the app context and present in a sanitized version already) * Fully sanitized
For more information, this is our use case:
We use a Vault Agent SideCar to retrieve sensitives informations and share them with our main container as a Json File (standard functionnality). That json file is loaded into our app with SPRING_APPLICATION_JSON.
There's an attachement with a sample application reproducing the case.
Thanks for your time
Comment From: mbhave
In 2.6.x, we might be able to make use of the support added in #27840 to sanitize data from the spring.application.json property source if the key matches the configured keysToSanitize or the default ones. However, given that this can expose potentially sensitive information, flagging for team meeting to see if we should do this on the other branches as well.
Comment From: philwebb
We're going to add SPRING_APPLICATION_JSON to the default list.
Comment From: Choobz
Thanks a lot :)