[jira] [Commented] (SCM-811) m2 release plugin shows SCM git password if fatal occured during git push

Sat, 06 Feb 2016 07:19:03 -0800 

    [ 
https://issues.apache.org/jira/browse/SCM-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135814#comment-15135814
 ] 

ASF GitHub Bot commented on SCM-811:
------------------------------------

GitHub user eddiewebb opened a pull request:

    https://github.com/apache/maven-scm/pull/45

    Resolves critical security bug SCM-811

    This PR addresses https://issues.apache.org/jira/browse/SCM-811 by allowing 
the shared ScmResult in the api module to mask known patterns.  Covers SVN and 
git patterns (which are the ones impacting us and likely most popular).
    
    Includes simple unit test to validate passwords aren't leaked.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/Libertymutual/maven-scm SCM-811

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/maven-scm/pull/45.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #45
    
----
commit 8785b85e0d6273f88e7bd173c5d59d0e2c1148c2
Author: EDWARD WEBB <edward.w...@libertymutual.com>
Date:   2016-02-06T14:58:36Z

    #resolves SCM-811 by masking command output in ScmResult class used by all 
SCM operations

commit 9d009e8f14c0dff99c377b8991bdd59b519f0d33
Author: EDWARD WEBB <edward.w...@libertymutual.com>
Date:   2016-02-06T15:15:41Z

    Simple test for SCM-811 ensures ouptut is masked

----


> m2 release plugin shows SCM git password if fatal occured during git push
> -------------------------------------------------------------------------
>
>                 Key: SCM-811
>                 URL: https://issues.apache.org/jira/browse/SCM-811
>             Project: Maven SCM
>          Issue Type: Improvement
>          Components: maven-scm-provider-git
>    Affects Versions: 1.9.4
>         Environment: RHEL6, Windows
>            Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push 
> https://myuser:********@myserver.com:8081/scm/project/project.git 
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password) 
> then I see in log
> {quote}
> [ERROR] fatal: unable to access 
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL 
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes 
> security problems when someone else can see my password if build failed. I 
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to