[jira] [Commented] (SCM-1028) Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure

ASF GitHub Bot (Jira) Thu, 22 May 2025 08:43:04 -0700


    [ 
https://issues.apache.org/jira/browse/SCM-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17953497#comment-17953497
 ]


ASF GitHub Bot commented on SCM-1028:
-------------------------------------

mhoffrog commented on PR #237:
URL: https://github.com/apache/maven-scm/pull/237#issuecomment-2901711652

   @hboutemy I could move my PRs branch to commit 
8b44e4f6745e7bd677428be093921267317b8fe8 of the current master and force push 
my branch. Maybe GitHub would recognize it on this PR and mark the PR as merged.
   
   Please let me know if I should  give it a try? (I guess it cannot get worse 
as it currently is.)
   
   Another option is to ask GH support for a probable solution.




> Vulnerability: Clear text password is logged by JGit provider and by gitexe 
> remoteinfo on a ls-remote failure
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: SCM-1028
>                 URL: https://issues.apache.org/jira/browse/SCM-1028
>             Project: Maven SCM (Moved to GitHub Issues)
>          Issue Type: Bug
>          Components: maven-scm-provider-gitexe, maven-scm-provider-jgit
>    Affects Versions: 2.1.0
>            Reporter: Markus Hoffrogge
>            Assignee: Michael Osipov
>            Priority: Critical
>              Labels: vulnerability
>             Fix For: 2.2.0
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> *Issue(s):*
>  # {*}JGit provider{*}: If the git password contains special characters which 
> are differently encoded by the {{URI class}} than {{{}by 
> URLEncode.encode{}}}, then the password masking does not become effective and 
> the password is logged in clear URI encoded format by the jgit provider.
>  # {*}Gitexe remoteinfo{*}: In case ls-remote is failing, then a 
> {{ScmException}} is being thrown with the fetch URL passed as error message 
> containing the URI encoded clear password.
> *Root cause(s):*
>  # The URL encoding used for the credentials within fetch and push URL 
> differs from the encoding being used for masking the password at 
> [JGitUtils.prepareSession(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L149]
>  # Password is not masked for the exception message passed to the 
> ScmException used at 
> [GitRemoteInfoCommand.executeRemoteInfoCommand(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/remoteinfo/GitRemoteInfoCommand.java#L59]
> *Solution:*
> [PR #237|https://github.com/apache/maven-scm/pull/237]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SCM-1028) Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure

Reply via email to