Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitizer has not default implementation - SB3 #33448

Closed
michael-wirth opened this issue Dec 2, 2022 · 2 comments
Closed

Sanitizer has not default implementation - SB3 #33448

michael-wirth opened this issue Dec 2, 2022 · 2 comments
Labels
status: invalid An issue that we don't feel is valid

Comments

@michael-wirth
Copy link

Sensitive environment properties are not sanitized in SB3

There is no key-based sanitation of environment properties as in SB2.

The default behavior has been removed and I assume it should be replaced with a SanitizingFunction. But there is no registered bean (yet?). Is there something missing or is it on purpose?

Without any registered SanitizingFunction the Sanitizer won't do anything at all.

47effdc#diff-eff1d5fafbb45ff5ee51a9ebb415f157c4949d67c64cd410c981cf5a1f5a5e09L52
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 2, 2022
@philwebb
Copy link
Member

philwebb commented Dec 2, 2022

This is intentional. We found it was impossible to write a SanitizingFunction that would consistently and correctly work against everything. There's this section in the migration guide that explains things, but please let us know if you think it needs fleshing out.

@philwebb philwebb closed this as completed Dec 2, 2022
@philwebb philwebb added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 2, 2022
@scottfrederick
Copy link
Contributor

scottfrederick commented Dec 2, 2022
edited
Loading

Sensitive environment properties are not sanitized in SB3

All environment properties should be santized by default now, unless the property management.endpoint.env.show-values is set to something other than the default as mentioned in the migration guide. If that's not the case for you, please provide a complete minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it and attaching it to this issue.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Jan 3, 2023
@wilkinsona wilkinsona mentioned this issue Jan 18, 2024
Closed
@philwebb philwebb mentioned this issue Jan 19, 2024
Open
j-sandy added a commit to j-sandy/kork that referenced this issue Dec 12, 2024
@j-sandy
refactor(spring-security): refactor spring security from 5.x to 6.x w…
c6c627c 
…ith spring boot upgrade to 3.x

While upgrading the spring boot to 3.0.13 and spring cloud 2022.0.5, encountered the below errors during build process of kork-actuator module:
```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:26: error: cannot find symbol
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
                                                                       ^
  symbol:   class WebSecurityConfigurerAdapter
  location: package org.springframework.security.config.annotation.web.configuration
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:30: error: cannot find symbol
public class ActuatorEndpointsConfiguration extends WebSecurityConfigurerAdapter {
                                                    ^
  symbol: class WebSecurityConfigurerAdapter
2 errors
```
With spring boot upgrade, spring security also upgrades from 5.x to 6.x. As per the migration [steps](https://www.baeldung.com/spring-security-migrate-5-to-6), `WebSecurityConfigurerAdapter` has been removed. So, it is not required to be extended, instead bean can be registered.

```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:45: error: invalid method reference
        .ifPresent(sanitizer::setKeysToSanitize);
                   ^
  cannot find symbol
    symbol:   method setKeysToSanitize(T)
    location: class Sanitizer
  where T is a type-variable:
    T extends Object declared in class Optional
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:56: error: incompatible types: String cannot be converted to SanitizableData
                    return sanitizer.sanitize(property, environment.getProperty(property));
                                              ^
Note: Some messages have been simplified; recompile with -Xdiags:verbose to get full output
2 errors
```
In spring boot 3, changes are introduced in sanitization of actuator [endpoints](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#actuator-endpoints-sanitization).
Default `Sanitizer` implementation has been removed and replaced with `SanitizingFunction`.
spring-projects/spring-boot#33448
spring-projects/spring-boot#39243
spring-projects/spring-boot#32156
So, added the `ActuatorSanitizingFunction` class to provide the default implementation of `SanitizingFunction`.
j-sandy added a commit to j-sandy/kork that referenced this issue Dec 17, 2024
@j-sandy
refactor(spring-security): refactor spring security from 5.x to 6.x w…
e26b1a2 
…ith spring boot upgrade to 3.x

While upgrading the spring boot to 3.0.13 and spring cloud 2022.0.5, encountered the below errors during build process of kork-actuator module:
```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:26: error: cannot find symbol
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
                                                                       ^
  symbol:   class WebSecurityConfigurerAdapter
  location: package org.springframework.security.config.annotation.web.configuration
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:30: error: cannot find symbol
public class ActuatorEndpointsConfiguration extends WebSecurityConfigurerAdapter {
                                                    ^
  symbol: class WebSecurityConfigurerAdapter
2 errors
```
With spring boot upgrade, spring security also upgrades from 5.x to 6.x. As per the migration [steps](https://www.baeldung.com/spring-security-migrate-5-to-6), `WebSecurityConfigurerAdapter` has been removed. So, it is not required to be extended, instead bean can be registered.

```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:45: error: invalid method reference
        .ifPresent(sanitizer::setKeysToSanitize);
                   ^
  cannot find symbol
    symbol:   method setKeysToSanitize(T)
    location: class Sanitizer
  where T is a type-variable:
    T extends Object declared in class Optional
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:56: error: incompatible types: String cannot be converted to SanitizableData
                    return sanitizer.sanitize(property, environment.getProperty(property));
                                              ^
Note: Some messages have been simplified; recompile with -Xdiags:verbose to get full output
2 errors
```
In spring boot 3, changes are introduced in sanitization of actuator [endpoints](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#actuator-endpoints-sanitization).
Default `Sanitizer` implementation has been removed and replaced with `SanitizingFunction`.
spring-projects/spring-boot#33448
spring-projects/spring-boot#39243
spring-projects/spring-boot#32156
So, added the `ActuatorSanitizingFunction` class to provide the default implementation of `SanitizingFunction`.
@j-sandy j-sandy mentioned this issue Dec 19, 2024
Draft
j-sandy added a commit to j-sandy/kork that referenced this issue Dec 19, 2024
@j-sandy
refactor(spring-security): refactor spring security from 5.x to 6.x w…
9c5068b 
…ith spring boot upgrade to 3.x

While upgrading the spring boot to 3.0.13 and spring cloud 2022.0.5, encountered the below errors during build process of kork-actuator module:
```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:26: error: cannot find symbol
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
                                                                       ^
  symbol:   class WebSecurityConfigurerAdapter
  location: package org.springframework.security.config.annotation.web.configuration
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:30: error: cannot find symbol
public class ActuatorEndpointsConfiguration extends WebSecurityConfigurerAdapter {
                                                    ^
  symbol: class WebSecurityConfigurerAdapter
2 errors
```
With spring boot upgrade, spring security also upgrades from 5.x to 6.x. As per the migration [steps](https://www.baeldung.com/spring-security-migrate-5-to-6), `WebSecurityConfigurerAdapter` has been removed. So, it is not required to be extended, instead bean can be registered.

```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:45: error: invalid method reference
        .ifPresent(sanitizer::setKeysToSanitize);
                   ^
  cannot find symbol
    symbol:   method setKeysToSanitize(T)
    location: class Sanitizer
  where T is a type-variable:
    T extends Object declared in class Optional
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:56: error: incompatible types: String cannot be converted to SanitizableData
                    return sanitizer.sanitize(property, environment.getProperty(property));
                                              ^
Note: Some messages have been simplified; recompile with -Xdiags:verbose to get full output
2 errors
```
In spring boot 3, changes are introduced in sanitization of actuator [endpoints](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#actuator-endpoints-sanitization).
Default `Sanitizer` implementation has been removed and replaced with `SanitizingFunction`.
spring-projects/spring-boot#33448
spring-projects/spring-boot#39243
spring-projects/spring-boot#32156
So, added the `ActuatorSanitizingFunction` class to provide the default implementation of `SanitizingFunction`.
j-sandy added a commit to j-sandy/kork that referenced this issue Dec 19, 2024
@j-sandy
refactor(spring-security): refactor spring security from 5.x to 6.x w…
5d5bdc3 
…ith spring boot upgrade to 3.x

While upgrading the spring boot to 3.0.13 and spring cloud 2022.0.5, encountered the below errors during build process of kork-actuator module:
```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:26: error: cannot find symbol
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
                                                                       ^
  symbol:   class WebSecurityConfigurerAdapter
  location: package org.springframework.security.config.annotation.web.configuration
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/ActuatorEndpointsConfiguration.java:30: error: cannot find symbol
public class ActuatorEndpointsConfiguration extends WebSecurityConfigurerAdapter {
                                                    ^
  symbol: class WebSecurityConfigurerAdapter
2 errors
```
With spring boot upgrade, spring security also upgrades from 5.x to 6.x. As per the migration [steps](https://www.baeldung.com/spring-security-migrate-5-to-6), `WebSecurityConfigurerAdapter` has been removed. So, it is not required to be extended, instead bean can be registered.

```
> Task :kork-actuator:compileJava FAILED
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:45: error: invalid method reference
        .ifPresent(sanitizer::setKeysToSanitize);
                   ^
  cannot find symbol
    symbol:   method setKeysToSanitize(T)
    location: class Sanitizer
  where T is a type-variable:
    T extends Object declared in class Optional
/kork/kork-actuator/src/main/java/com/netflix/spinnaker/kork/actuator/endpoint/ResolvedEnvironmentEndpoint.java:56: error: incompatible types: String cannot be converted to SanitizableData
                    return sanitizer.sanitize(property, environment.getProperty(property));
                                              ^
Note: Some messages have been simplified; recompile with -Xdiags:verbose to get full output
2 errors
```
In spring boot 3, changes are introduced in sanitization of actuator [endpoints](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#actuator-endpoints-sanitization).
Default `Sanitizer` implementation has been removed and replaced with `SanitizingFunction`.
spring-projects/spring-boot#33448
spring-projects/spring-boot#39243
spring-projects/spring-boot#32156
So, added the `ActuatorSanitizingFunction` class to provide the default implementation of `SanitizingFunction`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@scottfrederick @philwebb @wilkinsona @michael-wirth @spring-projects-issues