Markus Hoffrogge created SCM-1028:
-------------------------------------
Summary: Vulnerability: Clear text password is logged by JGit
provider and by gitexe remoteinfo on a ls-remote failure
Key: SCM-1028
URL: https://issues.apache.org/jira/browse/SCM-1028
Project: Maven SCM
Issue Type: Bug
Components: maven-scm-provider-gitexe, maven-scm-provider-jgit
Affects Versions: 2.1.0
Reporter: Markus Hoffrogge
*Issue(s):*
# {*}JGit provider{*}: If the git password contains special characters which
are differently encoded by the {{URI class}} than {{{}by URLEncode.encode{}}},
then the password masking does not become effective and the password is logged
in clear URI encoded format by the jgit provider.{{{}
{}}}
# {*}Gitexe remoteinfo{*}: In case ls-remote is failing, then a
{{ScmException}} is being thrown with the fetch URL passed as error message
containing the URI encoded clear password.
*Root cause(s):*
# The URL encoding used for the credentials within fetch and push URL differs
from the encoding being used for masking the password at
[JGitUtils.prepareSession(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L149]
# Password is not masked for the exception message passed to the ScmException
used at
[GitRemoteInfoCommand.executeRemoteInfoCommand(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/remoteinfo/GitRemoteInfoCommand.java#L59]
*Solution:*
I will come up with a PR soon to solve these issues.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
