[jira] [Commented] (SCM-763) Password masking on linux does not work

2017-02-21 Thread Weston Bustraan (JIRA) 

[ 
https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876320#comment-15876320
 ] 

Weston Bustraan commented on SCM-763:
-

This also occurs on Macs.

The culprit is actually 
{{org.apache.maven.scm.provider.svn.svnexe.command.SvnCommandLineUtils.cryptPassword(Commandline)}}

It has a rather... naïve, to be polite, implementation of the password masking. 
It only works if there is _exactly_ one space after {{--password}}. Any other 
condition and the password is not masked.

So, if the command line string is this:
{code}svn --username myusername --password swordfish --no-auth-cache 
--non-interactive --trust-server-cert info{code}
... the output is:
{code}svn --username myusername --password '*' --no-auth-cache 
--non-interactive --trust-server-cert info{code}

However, it appears that, at some point, a change was made elsewhere that wraps 
everything in quotes on *nix OSes:
{code}
'svn' '--username' 'myusername' '--password' 'swordfish' '--no-auth-cache' 
'--non-interactive' '--trust-server-cert' 'info'
{code}
Now, since {{--password}} is followed immediately by a single quote, instead of 
a single space, the mask is inserted but does not replace the actual password:
{code}'svn' '--username' 'myusername' '--password''*' 'swordfish' 
'--no-auth-cache' '--non-interactive' '--trust-server-cert' 'info'{code}



Here is an improved version of {{cryptPassword}} using a regex in order to 
handle more diverse input:
{code}
public static String cryptPassword( Commandline cl )
{
String clString = cl.toString();
final String mask = "'**'";

final Matcher matcher = 
Pattern.compile("(--password\\S*?\\s+)('[^']+?'|\"[^\"]+?\"|\\S+)")
   .matcher(clString);

final StringBuffer replaced = new StringBuffer();
while (matcher.find()) {
final String argPrefix = matcher.group(1);
matcher.appendReplacement(replaced, argPrefix + mask);
}
matcher.appendTail(replaced);

return replaced.toString();
}
{code}

> Password masking on linux does not work
> ---
>
> Key: SCM-763
> URL: https://issues.apache.org/jira/browse/SCM-763
> Project: Maven SCM
>  Issue Type: Bug
>  Components: maven-scm-provider-svn
>Affects Versions: 1.9
> Environment: Jenkins 1.502 on a SLES11
>Reporter: Tobias Kalmes
>
> Passwords are not masked in the log output on Linux machines. The masking 
> works as intended on Windows machines. On linux machines tho the password is 
> printed in clear text. This seems to be a problem due to the additional 
> single quotes that are added around the parameters on linux machines.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (SCM-763) Password masking on linux does not work

2018-03-19 Thread Weston Bustraan (JIRA) 

[ 
https://issues.apache.org/jira/browse/SCM-763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16404715#comment-16404715
 ] 

Weston Bustraan commented on SCM-763:
-

[~michael-o], you are correct, the regex does treat the ending double quote as 
part of the password in your example; you would probably need a more complex 
routine or regex to perfectly handle that. However, the string produced by the 
password masking isn't intended to actually be executed by the OS; it is just 
printed on stdout for the user to see. The goal is to prevent the password from 
being printed to the log output and I believe that it still accomplishes that 
goal better than the original implementation.

> Password masking on linux does not work
> ---
>
> Key: SCM-763
> URL: https://issues.apache.org/jira/browse/SCM-763
> Project: Maven SCM
>  Issue Type: Bug
>  Components: maven-scm-provider-svn
>Affects Versions: 1.9
> Environment: Jenkins 1.502 on a SLES11
>Reporter: Tobias Kalmes
>Priority: Major
>
> Passwords are not masked in the log output on Linux machines. The masking 
> works as intended on Windows machines. On linux machines tho the password is 
> printed in clear text. This seems to be a problem due to the additional 
> single quotes that are added around the parameters on linux machines.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)