[jira] [Commented] (SCM-763) Password masking on linux does not work

[Weston Bustraan (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876320#comment-15876320
 ] 

Weston Bustraan commented on SCM-763:
-------------------------------------

This also occurs on Macs.

The culprit is actually 
{{org.apache.maven.scm.provider.svn.svnexe.command.SvnCommandLineUtils.cryptPassword(Commandline)}}

It has a rather... naïve, to be polite, implementation of the password masking. 
It only works if there is _exactly_ one space after {{--password}}. Any other 
condition and the password is not masked.

So, if the command line string is this:
{code}svn --username myusername --password swordfish --no-auth-cache 
--non-interactive --trust-server-cert info{code}
... the output is:
{code}svn --username myusername --password '*****' --no-auth-cache 
--non-interactive --trust-server-cert info{code}

However, it appears that, at some point, a change was made elsewhere that wraps 
everything in quotes on *nix OSes:
{code}
'svn' '--username' 'myusername' '--password' 'swordfish' '--no-auth-cache' 
'--non-interactive' '--trust-server-cert' 'info'
{code}
Now, since {{--password}} is followed immediately by a single quote, instead of 
a single space, the mask is inserted but does not replace the actual password:
{code}'svn' '--username' 'myusername' '--password''*****' 'swordfish' 
'--no-auth-cache' '--non-interactive' '--trust-server-cert' 'info'{code}



Here is an improved version of {{cryptPassword}} using a regex in order to 
handle more diverse input:
{code}
    public static String cryptPassword( Commandline cl )
    {
        String clString = cl.toString();
        final String mask = "'******'";

        final Matcher matcher = 
Pattern.compile("(--password\\S*?\\s+)('[^']+?'|\"[^\"]+?\"|\\S+)")
                                       .matcher(clString);

        final StringBuffer replaced = new StringBuffer();
        while (matcher.find()) {
            final String argPrefix = matcher.group(1);
            matcher.appendReplacement(replaced, argPrefix + mask);
        }
        matcher.appendTail(replaced);

        return replaced.toString();
    }
{code}

> Password masking on linux does not work
> ---------------------------------------
>
>                 Key: SCM-763
>                 URL: https://issues.apache.org/jira/browse/SCM-763
>             Project: Maven SCM
>          Issue Type: Bug
>          Components: maven-scm-provider-svn
>    Affects Versions: 1.9
>         Environment: Jenkins 1.502 on a SLES11
>            Reporter: Tobias Kalmes
>
> Passwords are not masked in the log output on Linux machines. The masking 
> works as intended on Windows machines. On linux machines tho the password is 
> printed in clear text. This seems to be a problem due to the additional 
> single quotes that are added around the parameters on linux machines.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)