[jira] [Commented] (SCM-811) m2 release plugin shows SCM git password if fatal occured during git push

Thu, 12 Jun 2025 00:31:02 -0700 


    [ 
https://issues.apache.org/jira/browse/SCM-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17963251#comment-17963251
 ] 

ASF GitHub Bot commented on SCM-811:
------------------------------------

jira-importer commented on issue #1043:
URL: https://github.com/apache/maven-scm/issues/1043#issuecomment-2964640879

   **[Eddie 
Webb](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=eddiewebb)** 
commented
   
   Looks like the native git provider has an issue unrelated to SCM-817(which 
now has an open PR) that affects **any** error scenario where git's stderr is 
piped directly to use.
   Arguably, yes this is an issue in git itself, but I do feel that given 
Maven's use in CI/CD systems it would be wise to mask any passwords that native 
git might leak. Trying to find the best approach to address that, most like 
keeping it specific to the git scm providers as URL patterns for CVS, Jazz, 
SVN, etc are different.
   




> m2 release plugin shows SCM git password if fatal occured during git push
> -------------------------------------------------------------------------
>
>                 Key: SCM-811
>                 URL: https://issues.apache.org/jira/browse/SCM-811
>             Project: Maven SCM (Moved to GitHub Issues)
>          Issue Type: Improvement
>          Components: maven-scm-provider-gitexe
>    Affects Versions: 1.9.4
>         Environment: RHEL6, Windows
>            Reporter: Vasilii Ruzov
>            Assignee: Olivier Lamy
>            Priority: Major
>             Fix For: 1.9.5
>
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push 
> https://myuser:********@myserver.com:8081/scm/project/project.git 
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password) 
> then I see in log
> {quote}
> [ERROR] fatal: unable to access 
> 'https://myuser:[email protected]:8081/scm/project/project.git/': SSL 
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes 
> security problems when someone else can see my password if build failed. I 
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to