Sanitize sun.java.command by default

Closes gh-12796

Author: wilkinsona

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Sanitizer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,8 @@ class Sanitizer {
 	private Pattern[] keysToSanitize;
 
 	Sanitizer() {
-		this("password", "secret", "key", "token", ".*credentials.*", "vcap_services");
+		this("password", "secret", "key", "token", ".*credentials.*", "vcap_services",
+				"sun.java.command");
 	}
 
 	Sanitizer(String... keysToSanitize) {

spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -20,7 +20,8 @@
       "key",
       "token",
       ".*credentials.*",
-      "vcap_services"
+      "vcap_services",
+      "sun.java.command"
     ]
   },
   {
@@ -44,7 +45,8 @@
       "key",
       "token",
       ".*credentials.*",
-      "vcap_services"
+      "vcap_services",
+      "sun.java.command"
     ]
   },
   {

spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/EnvironmentEndpointTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -92,6 +92,10 @@ public void testKeySanitization() throws Exception {
 		assertThat(systemProperties.get("mySecret")).isEqualTo("******");
 		assertThat(systemProperties.get("myCredentials")).isEqualTo("******");
 		assertThat(systemProperties.get("VCAP_SERVICES")).isEqualTo("******");
+		Object command = systemProperties.get("sun.java.command");
+		if (command != null) {
+			assertThat(command).isEqualTo("******");
+		}
 		clearSystemProperties("dbPassword", "apiKey", "mySecret", "myCredentials");
 	}
 

spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/SanitizerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,6 +39,8 @@ public void defaults() throws Exception {
 		assertThat(sanitizer.sanitize("token", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("sometoken", "secret")).isEqualTo("******");
 		assertThat(sanitizer.sanitize("find", "secret")).isEqualTo("secret");
+		assertThat(sanitizer.sanitize("sun.java.command",
+				"--spring.redis.password=pa55w0rd")).isEqualTo("******");
 	}
 
 	@Test