maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Vonnahme (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SCM-817) Jgit provider exposes password if it contains special characters
Date Fri, 05 Feb 2016 15:52:39 GMT

     [ https://issues.apache.org/jira/browse/SCM-817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Paul Vonnahme updated SCM-817:
------------------------------
    Description: 
The jgit provider attempts to mask the password:
{code:java}
String password =
            StringUtils.isNotBlank( repository.getPassword() ) ? repository.getPassword().trim()
: "no-pwd-defined";
logger.info( "fetch url: " + repository.getFetchUrl().replace( password, "******" ) );
logger.info( "push url: " + repository.getPushUrl().replace( password, "******" ) );
{code}
from
https://github.com/apache/maven-scm/blob/maven-scm-1.9.4/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L134

However, the password in the fetchUrl/pushUrl is encoded, while the replacement is not.  If
the password text changes as part of the encoding the replace doesn't work.  The new logic
should be something like this:
{code:java}
String password =
            StringUtils.isNotBlank( repository.getPassword() ) ? repository.getPassword().trim()
: "no-pwd-defined";
try {
    password = URLEncoder.encode( password, "UTF-8" );
} catch (UnsupportedEncodingException e) {
    // UTF-8 should be valid
    e.printStackTrace();
}
logger.info( "fetch url: " + repository.getFetchUrl().replace( password, "******" ) );
logger.info( "push url: " + repository.getPushUrl().replace( password, "******" ) );
{code}

To match the way that the password is encoded when it is added to the URL:
https://github.com/apache/maven-scm/blob/e59eec4e5f66a4bf34144a500899b2114b5e2e4e/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/repository/GitScmProviderRepository.java#L297




  was:
The jgit provider attempts to mask the password:
{code:java}
String password =
            StringUtils.isNotBlank( repository.getPassword() ) ? repository.getPassword().trim()
: "no-pwd-defined";
logger.info( "fetch url: " + repository.getFetchUrl().replace( password, "******" ) );
logger.info( "push url: " + repository.getPushUrl().replace( password, "******" ) );
{code}
from
https://github.com/apache/maven-scm/blob/maven-scm-1.9.4/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L134

However, the password in the fetchUrl/pushUrl is encoded, while the replacement is not.  If
the password text changes as part of the encoding the replace doesn't work.  The new logic
should be something like this:
{code:java}
String password =
            StringUtils.isNotBlank( repository.getPassword() ) ? repository.getPassword().trim()
: "no-pwd-defined";
try {
    password = URLEncoder.encode( password, "UTF-8" );
} catch (UnsupportedEncodingException e) {
    // UTF-8 should be valid
    e.printStackTrace();
}
logger.info( "fetch url: " + repository.getFetchUrl().replace( password, "******" ) );
logger.info( "push url: " + repository.getPushUrl().replace( password, "******" ) );
{code}

To match the way that the URL is encoded when it is added to the URL:
https://github.com/apache/maven-scm/blob/e59eec4e5f66a4bf34144a500899b2114b5e2e4e/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/repository/GitScmProviderRepository.java#L297





> Jgit provider exposes password if it contains special characters
> ----------------------------------------------------------------
>
>                 Key: SCM-817
>                 URL: https://issues.apache.org/jira/browse/SCM-817
>             Project: Maven SCM
>          Issue Type: Bug
>          Components: maven-scm-provider-git
>    Affects Versions: 1.9.4
>            Reporter: Paul Vonnahme
>              Labels: easyfix, security
>
> The jgit provider attempts to mask the password:
> {code:java}
> String password =
>             StringUtils.isNotBlank( repository.getPassword() ) ? repository.getPassword().trim()
: "no-pwd-defined";
> logger.info( "fetch url: " + repository.getFetchUrl().replace( password, "******" ) );
> logger.info( "push url: " + repository.getPushUrl().replace( password, "******" ) );
> {code}
> from
> https://github.com/apache/maven-scm/blob/maven-scm-1.9.4/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L134
> However, the password in the fetchUrl/pushUrl is encoded, while the replacement is not.
 If the password text changes as part of the encoding the replace doesn't work.  The new logic
should be something like this:
> {code:java}
> String password =
>             StringUtils.isNotBlank( repository.getPassword() ) ? repository.getPassword().trim()
: "no-pwd-defined";
> try {
>     password = URLEncoder.encode( password, "UTF-8" );
> } catch (UnsupportedEncodingException e) {
>     // UTF-8 should be valid
>     e.printStackTrace();
> }
> logger.info( "fetch url: " + repository.getFetchUrl().replace( password, "******" ) );
> logger.info( "push url: " + repository.getPushUrl().replace( password, "******" ) );
> {code}
> To match the way that the password is encoded when it is added to the URL:
> https://github.com/apache/maven-scm/blob/e59eec4e5f66a4bf34144a500899b2114b5e2e4e/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/repository/GitScmProviderRepository.java#L297



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message