maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SCM-811) m2 release plugin shows SCM git password if fatal occured during git push
Date Sat, 06 Feb 2016 15:18:39 GMT

    [ https://issues.apache.org/jira/browse/SCM-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135814#comment-15135814
] 

ASF GitHub Bot commented on SCM-811:
------------------------------------

GitHub user eddiewebb opened a pull request:

    https://github.com/apache/maven-scm/pull/45

    Resolves critical security bug SCM-811

    This PR addresses https://issues.apache.org/jira/browse/SCM-811 by allowing the shared
ScmResult in the api module to mask known patterns.  Covers SVN and git patterns (which are
the ones impacting us and likely most popular).
    
    Includes simple unit test to validate passwords aren't leaked.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/Libertymutual/maven-scm SCM-811

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/maven-scm/pull/45.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #45
    
----
commit 8785b85e0d6273f88e7bd173c5d59d0e2c1148c2
Author: EDWARD WEBB <edward.webb@libertymutual.com>
Date:   2016-02-06T14:58:36Z

    #resolves SCM-811 by masking command output in ScmResult class used by all SCM operations

commit 9d009e8f14c0dff99c377b8991bdd59b519f0d33
Author: EDWARD WEBB <edward.webb@libertymutual.com>
Date:   2016-02-06T15:15:41Z

    Simple test for SCM-811 ensures ouptut is masked

----


> m2 release plugin shows SCM git password if fatal occured during git push
> -------------------------------------------------------------------------
>
>                 Key: SCM-811
>                 URL: https://issues.apache.org/jira/browse/SCM-811
>             Project: Maven SCM
>          Issue Type: Improvement
>          Components: maven-scm-provider-git
>    Affects Versions: 1.9.4
>         Environment: RHEL6, Windows
>            Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push https://myuser:********@myserver.com:8081/scm/project/project.git
refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password) then I
see in log
> {quote}
> [ERROR] fatal: unable to access 'https://myuser:mypassword@myserver.com:8081/scm/project/project.git/':
SSL certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes security problems
when someone else can see my password if build failed. I tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message