maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eddie Webb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SCM-811) m2 release plugin shows SCM git password if fatal occured during git push
Date Fri, 05 Feb 2016 18:56:39 GMT

    [ https://issues.apache.org/jira/browse/SCM-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15134701#comment-15134701
] 

Eddie Webb commented on SCM-811:
--------------------------------

Looks like the native git provider has an issue unrelated to SCM-817(which now has an open
PR) that affects *any* error scenario where git's stderr is piped directly to use.
Arguably, yes this is an issue in git itself, but I do feel that given Maven's use in CI/CD
systems it would be wise to mask any passwords that native git might leak. Trying to find
the best approach to address that, most like keeping it specific to the git scm providers
as URL patterns for CVS, Jazz, SVN, etc are different.

> m2 release plugin shows SCM git password if fatal occured during git push
> -------------------------------------------------------------------------
>
>                 Key: SCM-811
>                 URL: https://issues.apache.org/jira/browse/SCM-811
>             Project: Maven SCM
>          Issue Type: Improvement
>          Components: maven-scm-provider-git
>    Affects Versions: 1.9.4
>         Environment: RHEL6, Windows
>            Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push https://myuser:********@myserver.com:8081/scm/project/project.git
refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password) then I
see in log
> {quote}
> [ERROR] fatal: unable to access 'https://myuser:mypassword@myserver.com:8081/scm/project/project.git/':
SSL certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes security problems
when someone else can see my password if build failed. I tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message