[jira] [Commented] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2

Mon, 16 May 2016 17:50:47 -0700 

    [ 
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15285755#comment-15285755
 ] 

Ryan J. McDonough commented on MNG-5992:
----------------------------------------

Of course. In my projects we're doing exactly that, but only after we started 
seeing this issue. But as you should be well aware, not every project inherits 
from a parent pom.xml, and not every project will assert explicit versions. 
While yes, best practices should remedy this, but the defaults will put users 
at risk. 

More importantly, this issue *not* exclusive to the 
{{maven-git-commit-id-plugin}}. If you look closer at the linked project on 
GitHub, you'd see exactly this. 
The Maven Release Plugin alone will happily print out your credentials in 
Maven's output when you use HTTPS Git URLs. Given how Jenkins, Cloudbees, 
TravisCI, etc. all display Maven't output as part of the build results, your 
credentials will be displayed right there. If you're talking about public 
projects that use public CI tools, you're at risk. 

It's easy to point blame at the user for not following best practices, but most 
users will obliviously use the defaults. It'd be great if the defaults could 
use the safest options available. 

> Git passwords are exposed as the Super POM still uses Maven Release Plugin 
> 2.3.2
> --------------------------------------------------------------------------------
>
>                 Key: MNG-5992
>                 URL: https://issues.apache.org/jira/browse/MNG-5992
>             Project: Maven
>          Issue Type: Improvement
>          Components: Bootstrap & Build, Plugins and Lifecycle, POM
>    Affects Versions: 3.3.3, 3.3.9
>         Environment: All
>            Reporter: Ryan J. McDonough
>            Priority: Critical
>              Labels: security
>             Fix For: waiting-for-feedback
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using 
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, 
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed 
> in the logs and in the console output. In the case of TravisCI, this will be 
> publicly visible. 
> The [Maven Release Plugin fixed this issue in 
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven 
> core is still pointing at an exposed version of the Maven Release plugin. I 
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no 
> longer displayed. This should be the default. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to