I am setting up a Spring Cloud Configuration Server. Just few dependencies and an annotation. The source of properties comes from git. Server has the actuator enabled with default basic settings. I am surprised that the actuator unexpectedly reacts to any (even nonexisting endpoints) and reveals full environment (git property source) which is also used to store secrets.
pom dependencies:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.3</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>cz.leveland</groupId>
<artifactId>actutest</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>actutest</name>
<description>Actuator test</description>
<properties>
<java.version>11</java.version>
<spring-cloud.version>2021.0.3</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
application.properties:
server:
port: 8080
spring:
application:
name: CONFIG-SERVER
cloud:
config:
server:
git:
uri: https://bitbucket.org/repo-name/actuator-test
clone-on-start: true
username: repouser
password: xxxxxxxxxx
default-label: master
encrypt:
keyStore:
location: classpath:/server2.jks
password: letmein
alias: mytestkey
secret: letmein
management:
endpoints:
web:
exposure:
include: "health"
Spring application:
@EnableConfigServer
@SpringBootApplication
public class ActutestApplication {
public static void main(String[] args) {
SpringApplication.run(ActutestApplication.class, args);
}
}
git application.properties contains encoded password:
spring.datasource.username=admin
spring.datasource.password={cipher}AQA50Mh4...
NOW THE PROBLEM
The server responds to ANY actuator endpoint like .../actuator/foo-bar and always returns the full git property source (example bellow).
When I remove @EnableConfigServer annotation the actuator starts working as expected. So this "feature" must be activated with spring cloud config server.
Server response to .../actuator/foo-bar:
{
"name": "actuator",
"profiles": [
"foo-bar"
],
"label": null,
"version": "da200e047354e889e6503b10cbb9cbbc7e3dbb28",
"state": null,
"propertySources": [
{
"name": "https://bitbucket.org/repo-name/actuator-test/application.properties",
"source": {
"spring.datasource.username": "admin",
"spring.datasource.password": "secret-password"
}
}
]
}
I must be doing something terribly wrong or is this a security bug?
Thank you for helping me.
Test project https://github.com/Klapsa2503/actuator-test
Actuator metrics not working
Change
management:
endpoints:
web:
exposure:
include: "health"
to
management:
endpoints:
web:
exposure:
include: "health,metrics"
so metrics are exposed and http://localhost:8080/actuator/metrics working
Endpoint leaking properties
By default spring config is exposing default properties from application.properties from your config repository. Spring config server has a strict naming convention that you should follow to prevent that. See https://www.baeldung.com/spring-cloud-configuration
Just change application.yml to something different and those properties will not be exposed.
Tried to find the code responsible for fetching those configs and the logic behind it but simply don't have time for this ConfigDataEnvironment::processAndApply