Actuator endpoints do not sanitize SPRING_APPLICATION_JSON by default

[Choobz]

Hello,

I want to raise to your attention that the property SPRING_APPLICATION_JSON is present in the /env endpoint when used but the values are not sanitized.

There's a workaround available by declaring :

management:
  env:
    additional-keys-to-sanitize: SPRING_APPLICATION_JSON

But to my knowledge it is not documented anywhere.

Since it's a base functionality of Spring Boot, it seems at first glance that it should be either:

• Completly removed from the /env endpoint (all values are loaded into the app context and present in a sanitized version already)
• Fully sanitized

For more information, this is our use case:
We use a Vault Agent SideCar to retrieve sensitives informations and share them with our main container as a Json File (standard functionnality). That json file is loaded into our app with SPRING_APPLICATION_JSON.

There's an attachement with a sample application reproducing the case.

Thanks for your time

demo-json-sanitize.zip

[mbhave]

In 2.6.x, we might be able to make use of the support added in #27840 to sanitize data from the spring.application.json property source if the key matches the configured keysToSanitize or the default ones. However, given that this can expose potentially sensitive information, flagging for team meeting to see if we should do this on the other branches as well.

[philwebb]

We're going to add SPRING_APPLICATION_JSON to the default list.

[Choobz]

Thanks a lot :)