[jira] [Commented] (SCM-817) Jgit provider exposes password if it contains special characters

Wed, 11 Jun 2025 21:01:01 -0700 


    [ 
https://issues.apache.org/jira/browse/SCM-817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17963280#comment-17963280
 ] 

ASF GitHub Bot commented on SCM-817:
------------------------------------

jira-importer opened a new issue, #1047:
URL: https://github.com/apache/maven-scm/issues/1047

   **[Paul 
Vonnahme](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=pmv)** 
opened 
**[SCM-817](https://issues.apache.org/jira/browse/SCM-817?redirect=false)** and 
commented
   
   The jgit provider attempts to mask the password:
   
   ```java
   String password =
               StringUtils.isNotBlank( repository.getPassword() ) ? 
repository.getPassword().trim() : "no-pwd-defined";
   logger.info( "fetch url: " + repository.getFetchUrl().replace( password, 
"******" ) );
   logger.info( "push url: " + repository.getPushUrl().replace( password, 
"******" ) );
   ```
   
   from
   
https://github.com/apache/maven-scm/blob/maven-scm-1.9.4/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L134
   
   However, the password in the fetchUrl/pushUrl is encoded, while the 
replacement is not.  If the password text changes as part of the encoding the 
replace doesn't work.  The new logic should be something like this:
   
   ```java
   String password =
               StringUtils.isNotBlank( repository.getPassword() ) ? 
repository.getPassword().trim() : "no-pwd-defined";
   try {
       password = URLEncoder.encode( password, "UTF-8" );
   } catch (UnsupportedEncodingException e) {
       // UTF-8 should be valid
       e.printStackTrace();
   }
   logger.info( "fetch url: " + repository.getFetchUrl().replace( password, 
"******" ) );
   logger.info( "push url: " + repository.getPushUrl().replace( password, 
"******" ) );
   ```
   
   To match the way that the password is encoded when it is added to the URL:
   
https://github.com/apache/maven-scm/blob/e59eec4e5f66a4bf34144a500899b2114b5e2e4e/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/repository/GitScmProviderRepository.java#L297
   
   
   
   ---
   
   **Affects:** 1.9.4
   
   **Issue Links:**
   - [SCM-811](https://issues.apache.org/jira/browse/SCM-811) m2 release plugin 
shows SCM git password if fatal occured during git push
   
   
   **Remote Links:**
   - [GitHub Pull Request #44
   ](https://github.com/apache/maven-scm/pull/44)
   




> Jgit provider exposes password if it contains special characters
> ----------------------------------------------------------------
>
>                 Key: SCM-817
>                 URL: https://issues.apache.org/jira/browse/SCM-817
>             Project: Maven SCM (Moved to GitHub Issues)
>          Issue Type: Bug
>          Components: maven-scm-provider-gitexe
>    Affects Versions: 1.9.4
>            Reporter: Paul Vonnahme
>            Assignee: Olivier Lamy
>            Priority: Major
>              Labels: easyfix, security
>             Fix For: 1.9.5
>
>
> The jgit provider attempts to mask the password:
> {code:java}
> String password =
>             StringUtils.isNotBlank( repository.getPassword() ) ? 
> repository.getPassword().trim() : "no-pwd-defined";
> logger.info( "fetch url: " + repository.getFetchUrl().replace( password, 
> "******" ) );
> logger.info( "push url: " + repository.getPushUrl().replace( password, 
> "******" ) );
> {code}
> from
> https://github.com/apache/maven-scm/blob/maven-scm-1.9.4/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L134
> However, the password in the fetchUrl/pushUrl is encoded, while the 
> replacement is not.  If the password text changes as part of the encoding the 
> replace doesn't work.  The new logic should be something like this:
> {code:java}
> String password =
>             StringUtils.isNotBlank( repository.getPassword() ) ? 
> repository.getPassword().trim() : "no-pwd-defined";
> try {
>     password = URLEncoder.encode( password, "UTF-8" );
> } catch (UnsupportedEncodingException e) {
>     // UTF-8 should be valid
>     e.printStackTrace();
> }
> logger.info( "fetch url: " + repository.getFetchUrl().replace( password, 
> "******" ) );
> logger.info( "push url: " + repository.getPushUrl().replace( password, 
> "******" ) );
> {code}
> To match the way that the password is encoded when it is added to the URL:
> https://github.com/apache/maven-scm/blob/e59eec4e5f66a4bf34144a500899b2114b5e2e4e/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/repository/GitScmProviderRepository.java#L297



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to