Skip to content

500 response from env endpoint when supplied pattern is invalid #49884

@dlwldnjs1009

Description

@dlwldnjs1009

EnvironmentEndpoint passes the user-supplied pattern directly to
Pattern.compile(...) when building the predicate used to filter property
names.

As a result, an invalid regex such as GET /actuator/env?pattern=[ appears to
raise a PatternSyntaxException before the request can be translated into the
actuator's usual bad-request path.

The actuator MVC and WebFlux handler mappings currently translate
InvalidEndpointRequestException into 400 Bad Request, but that path does
not seem to be used here.

Other actuator endpoints already use InvalidEndpointRequestException for
invalid user input. For example, MetricsEndpoint#parseTag does this for
malformed tag parameters.

A similar issue was addressed in gh-9730, where the approach was a try-catch
fallback because the value came from a path variable and the user's intent was
ambiguous. Now that pattern is an explicit query parameter, wrapping the
error in an InvalidEndpointRequestException might be more appropriate.

Steps to reproduce:

  1. Start any Spring Boot application with the env actuator endpoint exposed
  2. Send GET /actuator/env?pattern=[
  3. Observe that the invalid pattern does not appear to be handled as a bad
    request

Relevant locations:

  • module/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/env/EnvironmentEndpoint.java
  • module/spring-boot-webmvc/src/main/java/org/springframework/boot/webmvc/actuate/endpoint/web/AbstractWebMvcEndpointHandlerMapping.java
  • module/spring-boot-webflux/src/main/java/org/springframework/boot/webflux/actuate/endpoint/web/AbstractWebFluxEndpointHandlerMapping.java
  • module/spring-boot-micrometer-metrics/src/main/java/org/springframework/boot/micrometer/metrics/actuate/endpoint/MetricsEndpoint.java

Spring Boot version: current main branch
I believe this also affects 3.5.x as the same code path is shared there.

If this looks like a bug, I can put together a small PR.

Metadata

Metadata

Assignees

Labels

status: supersededAn issue that has been superseded by anothertype: bugA general bug

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions