maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan J. McDonough (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MNG-5992) Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
Date Tue, 17 May 2016 00:52:12 GMT

    [ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15285755#comment-15285755
] 

Ryan J. McDonough edited comment on MNG-5992 at 5/17/16 12:51 AM:
------------------------------------------------------------------

Of course. In my projects we're doing exactly that, but only after we started seeing this
issue. But as you should be well aware, not every project inherits from a parent pom.xml,
and not every project will assert explicit versions. While yes, best practices should remedy
this, but the defaults will put users at risk. 

More importantly, this issue *not* exclusive to the {{maven-git-commit-id-plugin}}. If you
look closer at the linked project on GitHub, you'd see exactly this. There's more details
on this blog post here:

https://damnhandy.com/2016/03/26/the-maven-plugins-that-will-expose-your-git-passwords-and-how-docker-helps-prove-it/

The Maven Release Plugin alone will happily print out your credentials in Maven's output when
you use HTTPS Git URLs. Given how Jenkins, Cloudbees, TravisCI, etc. all display Maven't output
as part of the build results, your credentials will be displayed right there. If you're talking
about public projects that use public CI tools, you're at risk. 

It's easy to point blame at the user for not following best practices, but most users will
obliviously use the defaults. It'd be great if the defaults could use the safest options available.



was (Author: damnhandy):
Of course. In my projects we're doing exactly that, but only after we started seeing this
issue. But as you should be well aware, not every project inherits from a parent pom.xml,
and not every project will assert explicit versions. While yes, best practices should remedy
this, but the defaults will put users at risk. 

More importantly, this issue *not* exclusive to the {{maven-git-commit-id-plugin}}. If you
look closer at the linked project on GitHub, you'd see exactly this. The Maven Release Plugin
alone will happily print out your credentials in Maven's output when you use HTTPS Git URLs.
Given how Jenkins, Cloudbees, TravisCI, etc. all display Maven't output as part of the build
results, your credentials will be displayed right there. If you're talking about public projects
that use public CI tools, you're at risk. 

It's easy to point blame at the user for not following best practices, but most users will
obliviously use the defaults. It'd be great if the defaults could use the safest options available.


> Git passwords are exposed as the Super POM still uses Maven Release Plugin 2.3.2
> --------------------------------------------------------------------------------
>
>                 Key: MNG-5992
>                 URL: https://issues.apache.org/jira/browse/MNG-5992
>             Project: Maven
>          Issue Type: Improvement
>          Components: Bootstrap & Build, Plugins and Lifecycle, POM
>    Affects Versions: 3.3.3, 3.3.9
>         Environment: All
>            Reporter: Ryan J. McDonough
>            Priority: Critical
>              Labels: security
>             Fix For: waiting-for-feedback
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using HTTP/HTTPS
Git SCM URIs, Maven will printout the password in the logs. Thus, any CI system such as Jenkins,
TravisCI, etc. will have the passwords exposed in the logs and in the console output. In the
case of TravisCI, this will be publicly visible. 
> The [Maven Release Plugin fixed this issue in MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846],
but Maven core is still pointing at an exposed version of the Maven Release plugin. I have
a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no longer displayed.
This should be the default. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message