Handle invalid regex pattern in EnvironmentEndpoint

dlwldnjs1009 · dlwldnjs1009 · commit 7c2474f2b38d · 2026-04-07T22:00:34.000+09:00
Closes gh-49884 Signed-off-by: Lee JiWon <dlwldnjs1009@gmail.com>
diff --git a/module/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/env/EnvironmentEndpoint.java b/module/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/env/EnvironmentEndpoint.java
@@ -23,11 +23,13 @@
 import java.util.Map;
 import java.util.function.Predicate;
 import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
 import java.util.stream.Stream;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
 import org.jspecify.annotations.Nullable;
 
+import org.springframework.boot.actuate.endpoint.InvalidEndpointRequestException;
 import org.springframework.boot.actuate.endpoint.OperationResponseBody;
 import org.springframework.boot.actuate.endpoint.SanitizableData;
 import org.springframework.boot.actuate.endpoint.Sanitizer;
@@ -87,11 +89,21 @@ public EnvironmentDescriptor environment(@Nullable String pattern) {
 
 	EnvironmentDescriptor getEnvironmentDescriptor(@Nullable String pattern, boolean showUnsanitized) {
 		if (StringUtils.hasText(pattern)) {
-			return getEnvironmentDescriptor(Pattern.compile(pattern).asPredicate(), showUnsanitized);
+			return getEnvironmentDescriptor(getPatternPredicate(pattern), showUnsanitized);
 		}
 		return getEnvironmentDescriptor((name) -> true, showUnsanitized);
 	}
 
+	private Predicate<String> getPatternPredicate(String pattern) {
+		try {
+			return Pattern.compile(pattern).asPredicate();
+		}
+		catch (PatternSyntaxException ex) {
+			throw new InvalidEndpointRequestException("Pattern '" + pattern + "' is not a valid regular expression",
+					ex.getMessage());
+		}
+	}
+
 	private EnvironmentDescriptor getEnvironmentDescriptor(Predicate<String> propertyNamePredicate,
 			boolean showUnsanitized) {
 		List<PropertySourceDescriptor> propertySources = new ArrayList<>();
diff --git a/module/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/env/EnvironmentEndpointTests.java b/module/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/env/EnvironmentEndpointTests.java
@@ -28,6 +28,7 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
 
+import org.springframework.boot.actuate.endpoint.InvalidEndpointRequestException;
 import org.springframework.boot.actuate.endpoint.Show;
 import org.springframework.boot.actuate.env.EnvironmentEndpoint.EnvironmentDescriptor;
 import org.springframework.boot.actuate.env.EnvironmentEndpoint.EnvironmentEntryDescriptor;
@@ -50,6 +51,7 @@
 import org.springframework.mock.env.MockPropertySource;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
 /**
  * Tests for {@link EnvironmentEndpoint}.
@@ -71,6 +73,14 @@ void close() {
 		System.clearProperty("VCAP_SERVICES");
 	}
 
+	@Test
+	void invalidPatternThrowsInvalidEndpointRequestException() {
+		ConfigurableEnvironment environment = emptyEnvironment();
+		EnvironmentEndpoint endpoint = new EnvironmentEndpoint(environment, Collections.emptyList(), Show.ALWAYS);
+		assertThatExceptionOfType(InvalidEndpointRequestException.class).isThrownBy(() -> endpoint.environment("["))
+			.withMessageContaining("Pattern '[' is not a valid regular expression");
+	}
+
 	@Test
 	void basicResponse() {
 		ConfigurableEnvironment environment = emptyEnvironment();
