I have an application that bootstraps itself using Vault properties. When I hit the management endpoint, I see the vault properties values printed in plain text. These are expected to be masked.
Sample In Vault, I have the following:
Path: kv/secret/password
Value at this path:
user.password: value1
user.password.previous: value2
In my application I have the following:
@Configuration
@VaultPropertySource("kv/secret/password")
public class VaultPropertySourceConfiguration {
}
@ConfigurationProperties(prefix = "user")
public class UserProperties {
public String password;
}
When I run this application, field password gets populated properly. However, when I hit the Spring management endpoint, I see that user.password is masked. However, user.password.previous is not; it's in plain text.
spring boot version: 2.4.13 spring framework version: 5.3.15 spring cloud version: 2020.0.5
Comment From: wilkinsona
This is behaving as documented:
Spring Boot uses sensible defaults for such keys: any key ending with the word "password", "secret", "key", "token", "vcap_services", "sun.java.command" is entirely sanitized
The key user.password.previous does not end with password so it is not sanitized.
You can configured the keys that are sanitized using the management.endpoint.env.keys-to-sanitize and management.endpoint.configprops.keys-to-sanitize configuration properties.
We can use this issue to decide if we want to make a change to the defaults.
Also, please note that Spring Boot 2.4.x has been out of its OSS support period since November 2021. Please upgrade to 2.5.x or 2.6.x as soon as possible.
Comment From: turaleck
@wilkinsona I think your suggestions to broaden default keys to sanitize is a good one. My opinion is that all vault properties, regardless of their names, should be sanitized. Does the Actuator know that a given property is a vault property?
Comment From: wilkinsona
Does the Actuator know that a given property is a vault property?
It does not as Boot knows nothing about Vault.
Since Boot 2.6 (https://github.com/spring-projects/spring-boot/issues/27840) you can register your own SanitizingFunction that has more control over what's sanitized. The data that's passed to the function provides access to the property source which may allow you to identify that it's a value property source and sanitise the value irrespective of the key.
Comment From: turaleck
Thank you @wilkinsona
Comment From: mbhave
If we decide to broaden the rules to match anywhere in the key, I think we'd only want to do it for certain default keys. For example, it would make sense for keys such as password but a key like key, might not always be sensitive (management.endpoint.env.keys-to-sanitize is not a sensitive value.) If we make that distinction, then we'd need some way of configuring that if a user overrides the default keys. I'm in favor of leaving the defaults as is and overriding the keys to providing a custom sanitizing function where appropriate.
Comment From: philwebb
Having discussed this as a team we feel that broadening the rules might sanitize too much. The existing rules are pretty easy to describe and we feel like the properties and SanitizingFunction interface provide enough options for users that want to customize things.