James Nord created MNG-8398:
-------------------------------
Summary: mvn --encrypt[--master]--password should work with
redirected streams
Key: MNG-8398
URL: https://issues.apache.org/jira/browse/MNG-8398
Project: Maven
Issue Type: Improvement
Components: Core
Affects Versions: 3.9.9
Reporter: James Nord
Maven 3.2.1 provided a way to enter the password to be encrypted via
interactive input for security reasons.
However the implementation uses the {{java.io.Console}} API with no fallback to
stdin/stdout.
This makes it virtually impossible[1] to securely[2] encrypt a password from
another program (for example a tool that will bootstrap a {{settings.xml}} for
a corporate structure etc.
h3. Steps to reproduce
(to reproduce without any 3rd party tooling run, which is not how I would
expect this to be called, but is here to demonstrate)
{{echo n myMasterPassword |mvn -encrypt-master-password}}
h4. Expected results
{{{base64HexString}}}
h4. Actual results
{{{}}}
[1] without relying on 3rd party tools that may not be installed, eg. on Linux
you can use {{script}} (which is likely to be installed), but on windows you
have no such generally available solution
[2] without the password being showing exposed in the process list (which is
why this was implemented to begin with).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
