Re: [I] [SCM-763] Password masking for svnexe does not handle all cases [maven-scm]

Wed, 11 Jun 2025 21:22:00 -0700 


jira-importer commented on issue #970:
URL: https://github.com/apache/maven-scm/issues/970#issuecomment-2964636669

   **[Weston 
Bustraan](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=wbustraan)**
 commented
   
   This also occurs on Macs.
   
   The culprit is actually 
`org.apache.maven.scm.provider.svn.svnexe.command.SvnCommandLineUtils.cryptPassword(Commandline)`
   
   It has a rather... naïve, to be polite, implementation of the password 
masking. It only works if there is _exactly_ one space after `--password`. Any 
other condition and the password is not masked.
   
   So, if the command line string is this:
   
   ```
   svn --username myusername --password swordfish --no-auth-cache 
--non-interactive --trust-server-cert info
   ```
   
   ... the output is:
   
   ```
   svn --username myusername --password '*****' --no-auth-cache 
--non-interactive --trust-server-cert info
   ```
   
   However, it appears that, at some point, a change was made elsewhere that 
wraps everything in quotes on *nix OSes:
   
   ```
   'svn' '--username' 'myusername' '--password' 'swordfish' '--no-auth-cache' 
'--non-interactive' '--trust-server-cert' 'info'
   ```
   
   Now, since `--password` is followed immediately by a single quote, instead 
of a single space, the mask is inserted but does not replace the actual 
password:
   
   ```
   'svn' '--username' 'myusername' '--password''*****' 'swordfish' 
'--no-auth-cache' '--non-interactive' '--trust-server-cert' 'info'
   ```
   
   Here is an improved version of `cryptPassword` using a regex in order to 
handle more diverse input:
   
   ```
       public static String cryptPassword( Commandline cl )
       {
           String clString = cl.toString();
           final String mask = "'******'";
   
           final Matcher matcher = 
Pattern.compile("(--password\\S*?\\s+)('[^']+?'|\"[^\"]+?\"|\\S+)")
                                          .matcher(clString);
   
           final StringBuffer replaced = new StringBuffer();
           while (matcher.find()) {
               final String argPrefix = matcher.group(1);
               matcher.appendReplacement(replaced, argPrefix + mask);
           }
           matcher.appendTail(replaced);
   
           return replaced.toString();
       }
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to