sun.java.command is not sanitised by default in env endpoint's response

[agebhar1]

By default the actuator /env endpoint sanitize values of blacklisted key patterns ("password", "secret", "key", "token", ".credentials.", "vcap_services"). Unfortunately if you apply arguments on start up via command line the sensible data is leaked by the endpoint through JVM(s) property sun.java.command.

A minimal setup can be found here.

Spring Boot 1.5:

$ http :8080/env | jq . | grep redis -A 1 -B 1
    "spring.redis.password": "******"
    "sun.java.command": "target/demo-1.5-0.0.1-SNAPSHOT.jar --spring.redis.password=this-should-be-sanitize

Spring Boot 2.0

$ http :8080/actuator/env | jq . | grep redis -A 1 -B 1
      "properties": {
        "spring.redis.password": {
          "value": "******"
--
        "sun.java.command": {
          "value": "target/demo-2.0-0.0.1-SNAPSHOT.jar --spring.redis.password=this-should-be-sanitized"
        },

I suggest to add sun.java.command to default blacklist.

[philwebb]

Thanks for the report. We should most certainly sanitize those!