[
https://issues.apache.org/jira/browse/SCM-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939796#comment-17939796
]
ASF GitHub Bot commented on SCM-1028:
-------------------------------------
mhoffrog opened a new pull request, #237:
URL: https://github.com/apache/maven-scm/pull/237
## JIRA
[SCM-1028](https://issues.apache.org/jira/browse/SCM-1028) Vulnerability:
Clear text password is logged by JGit provider and by gitexe remoteinfo on a
ls-remote failure
## Changes
- GitUtil.java:
- add method encodeURIComponent(String s) to provide a central common
encoding for user credentials within URLs
- add method maskPasswordInUrl(String urlWithCredentials)
- implementation taken from AnonymousCommandLine.java
- improve regex pattern to be more precise
- replace wrapped with delimiters ':' and '@' to avoid replacing the
password within probable other places of the URL to avoid password guessing by
using e.g. redundant URL parameters
- AnonymousCommandLine.java:
- move current password masking implementation to GitUtil
- use implementation from GitUtil
- GitScmProviderRepository.java:
- add method getFetchUrlWithMaskedPassword()
- add method getPushUrlWithMaskedPassword()
- method getUrl(RepositoryUrl repoUrl):
- use user name and password encoding from
GitUtil.encodeURIComponent(String s)
- toString():
- 👉 **BREAKING** change: provide URL content with masked password to
reduce risk of usage within logs or exceptions with showing passwords by that
- JGitUtils.java:
- method prepareSession(Git git, GitScmProviderRepository repository):
- log using methods:
- GitScmProviderRepository.getFetchUrlWithMaskedPassword()
- GitScmProviderRepository.getPushUrlWithMaskedPassword()
- GitRemoteInfoCommand.java:
- use GitScmProviderRepository.getFetchUrlWithMaskedPassword() for
exception message
- Update JUnit tests accordingly:
- GitScmProviderRepositoryTest.java
- GitCommandLineUtilsTest.java
## Test result
- All JUnit tests passed
> Vulnerability: Clear text password is logged by JGit provider and by gitexe
> remoteinfo on a ls-remote failure
> -------------------------------------------------------------------------------------------------------------
>
> Key: SCM-1028
> URL: https://issues.apache.org/jira/browse/SCM-1028
> Project: Maven SCM
> Issue Type: Bug
> Components: maven-scm-provider-gitexe, maven-scm-provider-jgit
> Affects Versions: 2.1.0
> Reporter: Markus Hoffrogge
> Priority: Critical
> Labels: Vulnerability, vulnerabilities, vulnerability
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> *Issue(s):*
> # {*}JGit provider{*}: If the git password contains special characters which
> are differently encoded by the {{URI class}} than {{{}by
> URLEncode.encode{}}}, then the password masking does not become effective and
> the password is logged in clear URI encoded format by the jgit provider.
> # {*}Gitexe remoteinfo{*}: In case ls-remote is failing, then a
> {{ScmException}} is being thrown with the fetch URL passed as error message
> containing the URI encoded clear password.
> *Root cause(s):*
> # The URL encoding used for the credentials within fetch and push URL
> differs from the encoding being used for masking the password at
> [JGitUtils.prepareSession(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L149]
> # Password is not masked for the exception message passed to the
> ScmException used at
> [GitRemoteInfoCommand.executeRemoteInfoCommand(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/remoteinfo/GitRemoteInfoCommand.java#L59]
> *Solution:*
> I will come up with a PR soon to solve these issues.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
