Ensure EnvironmentController does not leak system properties

In the JSON and YAML endpoints system properties and env vars could
leak if the config contains placeholders with default values.
This change explicitly switches off that replacement (making the
JSON and JAML consistent with the properties endpoint).

Fixes gh-480, closes gh-492

pom.xml

@@ -11,7 +11,7 @@
 	<parent>
 		<groupId>org.springframework.cloud</groupId>
 		<artifactId>spring-cloud-build</artifactId>
-		<version>1.2.0.RELEASE</version>
+		<version>1.2.1.BUILD-SNAPSHOT</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<scm>

spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/environment/EnvironmentController.java

@@ -152,7 +152,7 @@ public ResponseEntity<String> labelledJsonProperties(@PathVariable String name,
 			throws Exception {
 		validateProfiles(profiles);
 		Environment environment = labelled(name, profiles, label);
-		Map<String, Object> properties = convertToMap(environment);
+		Map<String, Object> properties = convertToMap(environment, resolvePlaceholders);
 		String json = this.objectMapper.writeValueAsString(properties);
 		if (resolvePlaceholders) {
 			json = resolvePlaceholders(prepareEnvironment(environment), json);
@@ -188,7 +188,7 @@ public ResponseEntity<String> labelledYaml(@PathVariable String name,
 			throws Exception {
 		validateProfiles(profiles);
 		Environment environment = labelled(name, profiles, label);
-		Map<String, Object> result = convertToMap(environment);
+		Map<String, Object> result = convertToMap(environment, resolvePlaceholders);
 		if (this.stripDocument && result.size() == 1
 				&& result.keySet().iterator().next().equals("document")) {
 			Object value = result.get("document");
@@ -208,10 +208,13 @@ public ResponseEntity<String> labelledYaml(@PathVariable String name,
 		return getSuccess(yaml);
 	}
 
-	private Map<String, Object> convertToMap(Environment input) throws BindException {
+	private Map<String, Object> convertToMap(Environment input, boolean resolvePlaceholders) throws BindException {
 		Map<String, Object> target = new LinkedHashMap<>();
 		PropertiesConfigurationFactory<Map<String, Object>> factory = new PropertiesConfigurationFactory<>(
 				target);
+		if (!resolvePlaceholders) {
+			factory.setResolvePlaceholders(false);
+		}
 		Map<String, Object> data = convertToProperties(input);
 		LinkedHashMap<String, Object> properties = new LinkedHashMap<>();
 		for (String key : data.keySet()) {

spring-cloud-config-server/src/test/java/org/springframework/cloud/config/server/environment/EnvironmentControllerTests.java

@@ -138,7 +138,15 @@ public void placeholdersNotResolvedInYamlFromSystemPropertiesWhenNotFlagged() th
 	public void placeholdersNotResolvedInYamlFromSystemPropertiesWhenNotFlaggedWithDefault() throws Exception {
 		whenPlaceholdersSystemPropsWithDefault();
 		String yaml = this.controller.yaml("foo", "bar", false).getBody();
-		// If there is a default value we can't prevent the placeholder being resolved
+		// If there is a default value we prevent the placeholder being resolved
+		assertEquals("a:\n  b:\n    c: ${foo:spam}\n", yaml);
+	}
+
+	@Test
+	public void placeholdersResolvedInYamlFromSystemPropertiesWhenFlagged() throws Exception {
+		whenPlaceholdersSystemPropsWithDefault();
+		String yaml = this.controller.yaml("foo", "bar", true).getBody();
+		// If there is a default value we do not prevent the placeholder being resolved
 		assertEquals("a:\n  b:\n    c: spam\n", yaml);
 	}
 
@@ -335,10 +343,18 @@ public void placeholdersNotResolvedInJsonFromSystemPropertiesWhenNotFlagged() th
 	}
 
 	@Test
-	public void placeholdersResolvedInJsonFromSystemPropertiesWhenNotFlaggedWithDefault() throws Exception {
+	public void placeholdersNotResolvedInJsonFromSystemPropertiesWhenNotFlaggedWithDefault() throws Exception {
 		whenPlaceholdersSystemPropsWithDefault();
 		String json = this.controller.jsonProperties("foo", "bar", false).getBody();
-		// If there is a default value we can't prevent the placeholder being resolved
+		// If there is a default value we do not prevent the placeholder being resolved
+		assertEquals("{\"a\":{\"b\":{\"c\":\"${foo:spam}\"}}}", json);
+	}
+
+	@Test
+	public void placeholdersResolvedInJsonFromSystemPropertiesWhenFlagged() throws Exception {
+		whenPlaceholdersSystemPropsWithDefault();
+		String json = this.controller.jsonProperties("foo", "bar", true).getBody();
+		// If there is a default value we prevent the placeholder being resolved
 		assertEquals("{\"a\":{\"b\":{\"c\":\"spam\"}}}", json);
 	}