[
https://issues.apache.org/jira/browse/SCM-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15134694#comment-15134694
]
ASF GitHub Bot commented on SCM-817:
------------------------------------
GitHub user eddiewebb opened a pull request:
https://github.com/apache/maven-scm/pull/44
#resolves SCM-817 by encoding password before replace
This resolves https://issues.apache.org/jira/browse/SCM-817 by encoding the
password before trying to match against the pre-encoded URL.
Before this commit any passwords with special characters would print the
encoded value.
```
[INFO] Change the default 'git' provider implementation to 'jgit'.
[INFO] fetch url: eddie:secr%24t@https//git.somesite.com/repo.git
[INFO] push url: eddie:secr%24t@https//git.somesite.com/repo.git
```
After this commit all passwords will be masked.
```
[INFO] Change the default 'git' provider implementation to 'jgit'.
[INFO] fetch url: eddie:******@https//git.somesite.com/repo.git
[INFO] push url: eddie:******@https//git.somesite.com/repo.git
```
I could not find any tests related specifically to security or masking, if
there are tests I can expand please provide direction!
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/Libertymutual/maven-scm master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/maven-scm/pull/44.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #44
----
commit 3aaad27f41cc2d51759cd895f7c269cb60cf3b35
Author: EDWARD WEBB <[email protected]>
Date: 2016-02-05T17:46:32Z
#resolves SCM-817 by encoding password before replace
----
> Jgit provider exposes password if it contains special characters
> ----------------------------------------------------------------
>
> Key: SCM-817
> URL: https://issues.apache.org/jira/browse/SCM-817
> Project: Maven SCM
> Issue Type: Bug
> Components: maven-scm-provider-git
> Affects Versions: 1.9.4
> Reporter: Paul Vonnahme
> Labels: easyfix, security
>
> The jgit provider attempts to mask the password:
> {code:java}
> String password =
> StringUtils.isNotBlank( repository.getPassword() ) ?
> repository.getPassword().trim() : "no-pwd-defined";
> logger.info( "fetch url: " + repository.getFetchUrl().replace( password,
> "******" ) );
> logger.info( "push url: " + repository.getPushUrl().replace( password,
> "******" ) );
> {code}
> from
> https://github.com/apache/maven-scm/blob/maven-scm-1.9.4/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L134
> However, the password in the fetchUrl/pushUrl is encoded, while the
> replacement is not. If the password text changes as part of the encoding the
> replace doesn't work. The new logic should be something like this:
> {code:java}
> String password =
> StringUtils.isNotBlank( repository.getPassword() ) ?
> repository.getPassword().trim() : "no-pwd-defined";
> try {
> password = URLEncoder.encode( password, "UTF-8" );
> } catch (UnsupportedEncodingException e) {
> // UTF-8 should be valid
> e.printStackTrace();
> }
> logger.info( "fetch url: " + repository.getFetchUrl().replace( password,
> "******" ) );
> logger.info( "push url: " + repository.getPushUrl().replace( password,
> "******" ) );
> {code}
> To match the way that the password is encoded when it is added to the URL:
> https://github.com/apache/maven-scm/blob/e59eec4e5f66a4bf34144a500899b2114b5e2e4e/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/repository/GitScmProviderRepository.java#L297
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
