mhoffrog opened a new pull request, #237: URL: https://github.com/apache/maven-scm/pull/237
## JIRA [SCM-1028](https://issues.apache.org/jira/browse/SCM-1028) Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure ## Changes - GitUtil.java: - add method encodeURIComponent(String s) to provide a central common encoding for user credentials within URLs - add method maskPasswordInUrl(String urlWithCredentials) - implementation taken from AnonymousCommandLine.java - improve regex pattern to be more precise - replace wrapped with delimiters ':' and '@' to avoid replacing the password within probable other places of the URL to avoid password guessing by using e.g. redundant URL parameters - AnonymousCommandLine.java: - move current password masking implementation to GitUtil - use implementation from GitUtil - GitScmProviderRepository.java: - add method getFetchUrlWithMaskedPassword() - add method getPushUrlWithMaskedPassword() - method getUrl(RepositoryUrl repoUrl): - use user name and password encoding from GitUtil.encodeURIComponent(String s) - toString(): - 👉 **BREAKING** change: provide URL content with masked password to reduce risk of usage within logs or exceptions with showing passwords by that - JGitUtils.java: - method prepareSession(Git git, GitScmProviderRepository repository): - log using methods: - GitScmProviderRepository.getFetchUrlWithMaskedPassword() - GitScmProviderRepository.getPushUrlWithMaskedPassword() - GitRemoteInfoCommand.java: - use GitScmProviderRepository.getFetchUrlWithMaskedPassword() for exception message - Update JUnit tests accordingly: - GitScmProviderRepositoryTest.java - GitCommandLineUtilsTest.java ## Test result - All JUnit tests passed -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
