1

I am setting up a Spring Cloud Configuration Server. Just few dependencies and an annotation. The source of properties comes from git. Server has the actuator enabled with default basic settings. I am surprised that the actuator unexpectedly reacts to any (even nonexisting endpoints) and reveals full environment (git property source) which is also used to store secrets.

pom dependencies:

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.3</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>
    <groupId>cz.leveland</groupId>
    <artifactId>actutest</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>actutest</name>
    <description>Actuator test</description>
    <properties>
        <java.version>11</java.version>
        <spring-cloud.version>2021.0.3</spring-cloud.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-config-server</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

application.properties:

server:
  port: 8080

spring:
  application:
    name: CONFIG-SERVER
  cloud:
    config:
      server:
        git:
          uri: https://bitbucket.org/repo-name/actuator-test
          clone-on-start: true
          username: repouser
          password: xxxxxxxxxx
          default-label: master

encrypt:
  keyStore:
    location: classpath:/server2.jks
    password: letmein
    alias: mytestkey
    secret: letmein


management:
  endpoints:
    web:
      exposure:
        include: "health"

Spring application:

@EnableConfigServer
@SpringBootApplication
public class ActutestApplication {

    public static void main(String[] args) {
        SpringApplication.run(ActutestApplication.class, args);
    }

}

git application.properties contains encoded password:

spring.datasource.username=admin
spring.datasource.password={cipher}AQA50Mh4...

NOW THE PROBLEM

The server responds to ANY actuator endpoint like .../actuator/foo-bar and always returns the full git property source (example bellow).

When I remove @EnableConfigServer annotation the actuator starts working as expected. So this "feature" must be activated with spring cloud config server.

Server response to .../actuator/foo-bar:

{
  "name": "actuator",
  "profiles": [
    "foo-bar"
  ],
  "label": null,
  "version": "da200e047354e889e6503b10cbb9cbbc7e3dbb28",
  "state": null,
  "propertySources": [
    {
      "name": "https://bitbucket.org/repo-name/actuator-test/application.properties",
      "source": {
        "spring.datasource.username": "admin",
        "spring.datasource.password": "secret-password"
      }
    }
  ]
}

I must be doing something terribly wrong or is this a security bug?

Thank you for helping me.

RomanDeveloper
  • 15
  • 5

1 Answers1

0

Test project https://github.com/Klapsa2503/actuator-test

Actuator metrics not working

Change

management:
  endpoints:
    web:
      exposure:
        include: "health"

to

management:
  endpoints:
    web:
      exposure:
        include: "health,metrics"

so metrics are exposed and http://localhost:8080/actuator/metrics working

Endpoint leaking properties

By default spring config is exposing default properties from application.properties from your config repository. Spring config server has a strict naming convention that you should follow to prevent that. See https://www.baeldung.com/spring-cloud-configuration

Just change application.yml to something different and those properties will not be exposed.

Tried to find the code responsible for fetching those configs and the logic behind it but simply don't have time for this ConfigDataEnvironment::processAndApply

Klapsa2503
  • 829
  • 10
  • 33
  • Thanks a lot! The cause was really wrong naming of the config file, I used application.properties not following the naming convention!!! – RomanDeveloper Oct 04 '22 at 15:42