[
https://issues.apache.org/jira/browse/SCM-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17952369#comment-17952369
]
ASF GitHub Bot commented on SCM-1028:
-------------------------------------
michael-o commented on PR #237:
URL: https://github.com/apache/maven-scm/pull/237#issuecomment-2888392969
> > any idea from anybody on what magic was adding the "asfgit merged
commit" step? = what seems currently broken
>
> * I think it might be the matter of pushing commit KNOWN to GitHub in
context of PR (like in referenced [[SCM-991] GitDiffConsumer cannot parse moved
files #151](https://github.com/apache/maven-scm/pull/151) - the same commit
present in PR was pushed to the target branch) or UNKNOWN (like here -
[8b44e4f](https://github.com/apache/maven-scm/commit/8b44e4f6745e7bd677428be093921267317b8fe8)
was brand new commit (re-committed content) pushed to target branch with
closing keyword - so the PR was closed as commanded, but not recognized as
being merged; the commit comment just closed the PR for some, perhaps
unreladed, reason, but it was not _merged_.)
>
>
> > This is basically what I have been doing: "This closes #NNN".
>
> And such comment "closes" issues/PRs as requested. If merged "correctly" -
there would be no reason to add such comment.
>
> With merge being fast-forwarded or squashed or done with merge commit, in
GitHub or externally to GitHub - there are many possibilities to be considered.
Technically not necessary, but for reference helpful.
> Vulnerability: Clear text password is logged by JGit provider and by gitexe
> remoteinfo on a ls-remote failure
> -------------------------------------------------------------------------------------------------------------
>
> Key: SCM-1028
> URL: https://issues.apache.org/jira/browse/SCM-1028
> Project: Maven SCM (Moved to GitHub Issues)
> Issue Type: Bug
> Components: maven-scm-provider-gitexe, maven-scm-provider-jgit
> Affects Versions: 2.1.0
> Reporter: Markus Hoffrogge
> Assignee: Michael Osipov
> Priority: Critical
> Labels: vulnerability
> Fix For: 2.2.0
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> *Issue(s):*
> # {*}JGit provider{*}: If the git password contains special characters which
> are differently encoded by the {{URI class}} than {{{}by
> URLEncode.encode{}}}, then the password masking does not become effective and
> the password is logged in clear URI encoded format by the jgit provider.
> # {*}Gitexe remoteinfo{*}: In case ls-remote is failing, then a
> {{ScmException}} is being thrown with the fetch URL passed as error message
> containing the URI encoded clear password.
> *Root cause(s):*
> # The URL encoding used for the credentials within fetch and push URL
> differs from the encoding being used for masking the password at
> [JGitUtils.prepareSession(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L149]
> # Password is not masked for the exception message passed to the
> ScmException used at
> [GitRemoteInfoCommand.executeRemoteInfoCommand(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/remoteinfo/GitRemoteInfoCommand.java#L59]
> *Solution:*
> [PR #237|https://github.com/apache/maven-scm/pull/237]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
