[jira] [Commented] (SCM-763) Password masking for svnexe does not handle all cases

Wed, 11 Jun 2025 20:41:56 -0700 


    [ 
https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17962905#comment-17962905
 ] 

ASF GitHub Bot commented on SCM-763:
------------------------------------

jira-importer commented on issue #970:
URL: https://github.com/apache/maven-scm/issues/970#issuecomment-2964636669

   **[Weston 
Bustraan](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=wbustraan)**
 commented
   
   This also occurs on Macs.
   
   The culprit is actually 
`org.apache.maven.scm.provider.svn.svnexe.command.SvnCommandLineUtils.cryptPassword(Commandline)`
   
   It has a rather... naïve, to be polite, implementation of the password 
masking. It only works if there is _exactly_ one space after `--password`. Any 
other condition and the password is not masked.
   
   So, if the command line string is this:
   
   ```
   svn --username myusername --password swordfish --no-auth-cache 
--non-interactive --trust-server-cert info
   ```
   
   ... the output is:
   
   ```
   svn --username myusername --password '*****' --no-auth-cache 
--non-interactive --trust-server-cert info
   ```
   
   However, it appears that, at some point, a change was made elsewhere that 
wraps everything in quotes on *nix OSes:
   
   ```
   'svn' '--username' 'myusername' '--password' 'swordfish' '--no-auth-cache' 
'--non-interactive' '--trust-server-cert' 'info'
   ```
   
   Now, since `--password` is followed immediately by a single quote, instead 
of a single space, the mask is inserted but does not replace the actual 
password:
   
   ```
   'svn' '--username' 'myusername' '--password''*****' 'swordfish' 
'--no-auth-cache' '--non-interactive' '--trust-server-cert' 'info'
   ```
   
   Here is an improved version of `cryptPassword` using a regex in order to 
handle more diverse input:
   
   ```
       public static String cryptPassword( Commandline cl )
       {
           String clString = cl.toString();
           final String mask = "'******'";
   
           final Matcher matcher = 
Pattern.compile("(--password\\S*?\\s+)('[^']+?'|\"[^\"]+?\"|\\S+)")
                                          .matcher(clString);
   
           final StringBuffer replaced = new StringBuffer();
           while (matcher.find()) {
               final String argPrefix = matcher.group(1);
               matcher.appendReplacement(replaced, argPrefix + mask);
           }
           matcher.appendTail(replaced);
   
           return replaced.toString();
       }
   ```
   
   




> Password masking for svnexe does not handle all cases
> -----------------------------------------------------
>
>                 Key: SCM-763
>                 URL: https://issues.apache.org/jira/browse/SCM-763
>             Project: Maven SCM (Moved to GitHub Issues)
>          Issue Type: Bug
>          Components: maven-scm-provider-svn
>    Affects Versions: 1.9
>         Environment: Jenkins 1.502 on a SLES11
>            Reporter: Tobias Kalmes
>            Assignee: Michael Osipov
>            Priority: Major
>             Fix For: 1.10.0
>
>
> Passwords are not masked in the log output on Linux machines. The masking 
> works as intended on Windows machines. On linux machines tho the password is 
> printed in clear text. This seems to be a problem due to the additional 
> single quotes that are added around the parameters on linux machines.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to