[SCM-1028] Fix clear password logging vulnerability

[mhoffrog]

JIRA

SCM-1028 Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure

Changes

• GitUtil.java:

  • add method maskPasswordInUrl(String urlWithCredentials)
    • implementation taken from AnonymousCommandLine.java
    • improve regex pattern to be more precise
    • replace wrapped with delimiters ':' and '@' to avoid replacing the password within probable other places of the URL to avoid password guessing by using e.g. redundant URL parameters

• AnonymousCommandLine.java:

  • move current password masking implementation to GitUtil
  • use implementation from GitUtil

• GitScmProviderRepository.java:

  • add method getFetchUrlWithMaskedPassword()
  • add method getPushUrlWithMaskedPassword()
  • toString():
    • 👉 BREAKING change: provide URL content with masked password to reduce risk of usage within logs or exceptions with showing passwords by that

• JGitUtils.java:

  • method prepareSession(Git git, GitScmProviderRepository repository):
    • log using methods:
      • GitScmProviderRepository.getFetchUrlWithMaskedPassword()
      • GitScmProviderRepository.getPushUrlWithMaskedPassword()

• GitRemoteInfoCommand.java:

  • use GitScmProviderRepository.getFetchUrlWithMaskedPassword() for exception message

• Update JUnit tests accordingly:

  • GitScmProviderRepositoryTest.java
  • GitCommandLineUtilsTest.java

Test result

• All JUnit tests passed

[mhoffrog]

Fixed issue with @see in JavaDoc of GitUtil.java by recent force push.

[mhoffrog]

fixed spotless violations

[mhoffrog]

@michael-o Update according to resolved conversations above.

[mhoffrog]

@michael-o Many thanks for your review! Please find my answers accordingly and let me know if / what should be changed or improved.

[mhoffrog]

@michael-o This is the place where the find() did have been taken from - did not want to touch this.

[mhoffrog]

@michael-o Please let me know if there anything missing or is to be improved from my end.

[slawekjaranowski]

@michael-o - Please take account that PR with status 'closed' will be not reported by release drafter.

So we will not have it in release notes.

[slawekjaranowski]

please look ar draft release notes - https://github.com/apache/maven-scm/releases

[mhoffrog]

@slawekjaranowski @michael-o

• Is there a reason why asf-gitbox-commits is closing without merging the PR and creating a dedicated commit to master with the changes? Looks pretty irritating.
• Same question for release notes - I'd like to get it appearing in the release notes - just because it is a vulnerability fix.

[olly-cb]

@slawekjaranowski @michael-o @hboutemy shouldn't we ask INFRA to mark the PR merged instead of closed.
And so everybody is happy? :)

maybe instead

This closes https://github.com/apache/maven-scm/pull/237

this should be

This merge https://github.com/apache/maven-scm/pull/237

not sure if supported by INFRA tooling though

[olamy]

but yeah nice release notes generated automatically is important too :P

[mhoffrog]

@slawekjaranowski @michael-o @hboutemy shouldn't we ask INFRA to mark the PR merged instead of closed. And so everybody is happy? :)
...
not sure if supported by INFRA tooling though

@olly-cb
That would be the perfect solution!

If this is not possible or too complicated I could file another PR with the same JIRA reference and description providing a simple change - additionally addressing one of the review comments e.g. fix that "asterisk" phrasing or the regex find() vs. matches().
@michael-o - please let me know what you prefer - I am open to support in any way.

[hboutemy]

I'm trying to understand the issue and where we should look for solution
no idea if the change is at ASF level or at GH level
but in the past, it seems that the way @michael-o was merging code was perfectly identified as PR merge by GH: see #151

any idea about what is different between the current PR and #151?

[michael-o]

I'm trying to understand the issue and where we should look for solution no idea if the change is at ASF level or at GH level but in the past, it seems that the way @michael-o was merging code was perfectly identified as PR merge by GH: see #151

any idea about what is different between the current PR and #151?

For the past 5+ years I have been rebasing, amending with a ref to the actual PR upstreaming to master. Worked like a charm.

[hboutemy]

writing down the factual differences:

• in 2022 for [SCM-991] GitDiffConsumer cannot parse moved files #151, there were 2 messages with the expected successful GH PR conclusion:
  
  

• in 2025 in this PR, only one message with the problematic GH PR conclusion:
  
  

[hboutemy]

any idea from anybody on what magic was adding the "asfgit merged commit" step?
= what seems currently broken

[hboutemy]

searching for pointers, I see Jena project seems to have clearly documented the PR merge process via GH or via GitBas = https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75968211#CommitWorkflowforGithubASF-Process(viagitbox.apache.org)

[michael-o]

searching for pointers, I see Jena project seems to have clearly documented the PR merge process via GH or via GitBas = https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75968211#CommitWorkflowforGithubASF-Process(viagitbox.apache.org)

This is basically what I have been doing: "This closes #NNN".

[pzygielo]

any idea from anybody on what magic was adding the "asfgit merged commit" step? = what seems currently broken

• I think it might be the matter of pushing commit KNOWN to GitHub in context of PR (like in referenced [SCM-991] GitDiffConsumer cannot parse moved files #151 - the same commit present in PR was pushed to the target branch) or UNKNOWN (like here - 8b44e4f was brand new commit (re-committed content) pushed to target branch with closing keyword - so the PR was closed as commanded, but not recognized as being merged; the commit comment just closed the PR for some, perhaps unreladed, reason, but it was not merged.)

This is basically what I have been doing: "This closes #NNN".

And such comment "closes" issues/PRs as requested. If merged "correctly" - there would be no reason to add such comment.

With merge being fast-forwarded or squashed or done with merge commit, in GitHub or externally to GitHub - there are many possibilities to be considered.

[michael-o]

any idea from anybody on what magic was adding the "asfgit merged commit" step? = what seems currently broken

* I think it might be the matter of pushing commit KNOWN to GitHub in context of PR (like in referenced [[SCM-991] GitDiffConsumer cannot parse moved files #151](https://github.com/apache/maven-scm/pull/151) - the same commit present in PR was pushed to the target branch) or UNKNOWN (like here - [8b44e4f](https://github.com/apache/maven-scm/commit/8b44e4f6745e7bd677428be093921267317b8fe8) was brand new commit (re-committed content) pushed to target branch with closing keyword - so the PR was closed as commanded, but not recognized as being merged; the commit comment just closed the PR for some, perhaps unreladed, reason, but it was not _merged_.)

This is basically what I have been doing: "This closes #NNN".

And such comment "closes" issues/PRs as requested. If merged "correctly" - there would be no reason to add such comment.

With merge being fast-forwarded or squashed or done with merge commit, in GitHub or externally to GitHub - there are many possibilities to be considered.

Technically not necessary, but for reference helpful.

[hboutemy]

@michael-o it seems @pzygielo 's explanation is right, and it was the case 4 years ago: see #120
PR's commit https://github.com/apache/maven-scm/pull/120/commits is different form master commit 3a10d0f

so it does not seem GitBox/GH behaviour changed, BUT we now do care about PR's not seen as merged by GH but only closed...

I don't know if it is a limitation known to other projects: for example, Jena does not seem to have seen it

and to work on a solution: I don't know by which magic GH PR merge works when it reworks the commit(s) = what GitBox should mimic I suppose

[mhoffrog]

@hboutemy I could reset my PRs branch to commit 8b44e4f of the current master and force push my branch. Maybe GitHub would recognize it on this PR and mark the PR as merged.

Please let me know if I should give it a try? (I guess it cannot get worse as it currently is.)

Edited 23-May-2025:
@michael-o Looking to #238 you did exactly that - force pushing the commit on master to the PR branch - and this did change the state of the PR from closed to merged as far as I can see.
I guess that is what is missing on this PR here.
Can you do the same here? - you have the appropriate rights on my branch since I did check to allow edits for maintainers on it.

[michael-o]

@hboutemy I could reset my PRs branch to commit 8b44e4f of the current master and force push my branch. Maybe GitHub would recognize it on this PR and mark the PR as merged.

Please let me know if I should give it a try? (I guess it cannot get worse as it currently is.)

Edited 23-May-2025: @michael-o Looking to #238 you did exactly that - force pushing the commit on master to the PR branch - and this did change the state of the PR from closed to merged as far as I can see. I guess that is what is missing on this PR here. Can you do the same here? - you have the appropriate rights on my branch since I did check to allow edits for maintainers on it.

Try yourself and we will see.

[mhoffrog]

@michael-o

Try yourself and we will see.

Done - but it does not work this way.
There is an instruction at How to reopen a pull-request after a force-push but I guess that will not work for me, since it requires rights to re-open a PR on this repo.
Could you or one of the repo maintainers give it a try?

[michael-o]

@michael-o

Try yourself and we will see.

Done - but it does not work this way. There is an instruction at How to reopen a pull-request after a force-push but I guess that will not work for me, since it requires rights to re-open a PR on this repo. Could you or one of the repo maintainers give it a try?

I can't either. It has been terminally closed.

[mhoffrog]

Did file PR #244 hoping that GH would close it as merged after force pushing it to commit 8b44e4f - but that did not work either.

@michael-o It looks that the remaining option to get it listed by the release notes is to manually edit release notes for the next release.

[hboutemy]

yes, we'll have to update release notes by hand for the current PR: that's life

it's for future cases like that that we need to find a good way to avoid that manual overhead

[mhoffrog]

Lessons learned - rules for PR merging:

1. If one creates a commit hash deviating from the final commit of a PR before merging, then force push this commit hash to the PR branch first.
2. Make sure in any case to merge the PR branches final commit hash to the target branch to let GitHub properly recognize the PR as merged to the target branch.

[jira-importer]

Resolve #1254