[jira] [Commented] (SCM-1028) Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure

ASF GitHub Bot (Jira) Sun, 06 Apr 2025 12:31:56 -0700


    [ 
https://issues.apache.org/jira/browse/SCM-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17941411#comment-17941411
 ]


ASF GitHub Bot commented on SCM-1028:
-------------------------------------

michael-o commented on code in PR #237:
URL: https://github.com/apache/maven-scm/pull/237#discussion_r2030239399


##########
maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/util/GitUtil.java:
##########
@@ -77,4 +86,24 @@ public static void setSettingsDirectory(File directory) {
     public static File getSettingsFile() {
         return new File(settingsDirectory, GIT_SETTINGS_FILENAME);
     }
+
+    /**
+     * Provides an anonymous output to mask password. Considering URL of type :
+     * 
&lt;&lt;protocol&gt;&gt;://&lt;&lt;user&gt;&gt;:&lt;&lt;password&gt;&gt;@
+     * &lt;&lt;host_definition&gt;&gt;
+     *
+     * @param urlWithCredentials
+     * @return urlWithCredentials but password masked with stars
+     */
+    public static String maskPasswordInUrl(String urlWithCredentials) {
+        String output = urlWithCredentials;
+        final Matcher passwordMatcher = 
PASSWORD_IN_URL_PATTERN.matcher(output);
+        if (passwordMatcher.find()) {

Review Comment:
   Why do you use `find()` and not `matches()` although your regex goes from 
start to end?



##########
maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/util/GitUtil.java:
##########
@@ -77,4 +86,24 @@ public static void setSettingsDirectory(File directory) {
     public static File getSettingsFile() {
         return new File(settingsDirectory, GIT_SETTINGS_FILENAME);
     }
+
+    /**
+     * Provides an anonymous output to mask password. Considering URL of type :
+     * 
&lt;&lt;protocol&gt;&gt;://&lt;&lt;user&gt;&gt;:&lt;&lt;password&gt;&gt;@
+     * &lt;&lt;host_definition&gt;&gt;
+     *
+     * @param urlWithCredentials
+     * @return urlWithCredentials but password masked with stars
+     */
+    public static String maskPasswordInUrl(String urlWithCredentials) {
+        String output = urlWithCredentials;
+        final Matcher passwordMatcher = 
PASSWORD_IN_URL_PATTERN.matcher(output);
+        if (passwordMatcher.find()) {
+            // clear password with delimiters
+            final String clearPasswordWithDelimiters = 
passwordMatcher.group(1);
+            // to be replaced in output by stars with delimiters

Review Comment:
   stars => asterisks





> Vulnerability: Clear text password is logged by JGit provider and by gitexe 
> remoteinfo on a ls-remote failure
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: SCM-1028
>                 URL: https://issues.apache.org/jira/browse/SCM-1028
>             Project: Maven SCM
>          Issue Type: Bug
>          Components: maven-scm-provider-gitexe, maven-scm-provider-jgit
>    Affects Versions: 2.1.0
>            Reporter: Markus Hoffrogge
>            Priority: Critical
>              Labels: Vulnerability, vulnerabilities, vulnerability
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> *Issue(s):*
>  # {*}JGit provider{*}: If the git password contains special characters which 
> are differently encoded by the {{URI class}} than {{{}by 
> URLEncode.encode{}}}, then the password masking does not become effective and 
> the password is logged in clear URI encoded format by the jgit provider.
>  # {*}Gitexe remoteinfo{*}: In case ls-remote is failing, then a 
> {{ScmException}} is being thrown with the fetch URL passed as error message 
> containing the URI encoded clear password.
> *Root cause(s):*
>  # The URL encoding used for the credentials within fetch and push URL 
> differs from the encoding being used for masking the password at 
> [JGitUtils.prepareSession(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L149]
>  # Password is not masked for the exception message passed to the 
> ScmException used at 
> [GitRemoteInfoCommand.executeRemoteInfoCommand(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/remoteinfo/GitRemoteInfoCommand.java#L59]
> *Solution:*
> [PR #237|https://github.com/apache/maven-scm/pull/237]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SCM-1028) Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure

Reply via email to