[SCM-1028] Fix clear password logging vulnerability

- GitUtil.java:
  - add method maskPasswordInUrl(String urlWithCredentials)
    - implementation taken from AnonymousCommandLine.java
    - improve regex pattern to be more precise
    - replace wrapped with delimiters ':' and '@' to avoid replacing
      the password within probable other places of the URL
      to avoid password guessing by using e.g. redundant URL parameters

- AnonymousCommandLine.java:
  - move current password masking implementation to GitUtil
  - use implementation from GitUtil

- GitScmProviderRepository.java:
  - add method getFetchUrlWithMaskedPassword()
  - add method getPushUrlWithMaskedPassword()
  - toString():
    - BREAKING change: provide URL content with masked password
      to reduce risk of usage within logs or exceptions
      with showing passwords by that

- JGitUtils.java:
  - method prepareSession(Git git, GitScmProviderRepository repository):
    - log using methods:
      - GitScmProviderRepository.getFetchUrlWithMaskedPassword()
      - GitScmProviderRepository.getPushUrlWithMaskedPassword()

- GitRemoteInfoCommand.java:
  - use GitScmProviderRepository.getFetchUrlWithMaskedPassword()
    for exception message

- Update JUnit tests accordingly:
  - GitScmProviderRepositoryTest.java
  - GitCommandLineUtilsTest.java

This closes #237

Author: mhoffrog

maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/repository/GitScmProviderRepository.java

@@ -26,6 +26,7 @@
 import org.apache.maven.scm.ScmException;
 import org.apache.maven.scm.provider.ScmProviderRepository;
 import org.apache.maven.scm.provider.ScmProviderRepositoryWithHost;
+import org.apache.maven.scm.provider.git.util.GitUtil;
 
 /**
  * @author <a href="mailto:[email protected]">Emmanuel Venisse</a>
@@ -185,13 +186,27 @@ public String getFetchUrl() {
         return getUrl(fetchInfo);
     }
 
+    /**
+     * @return the URL to fetch from with masked password used for logging purposes only
+     */
+    public String getFetchUrlWithMaskedPassword() {
+        return GitUtil.maskPasswordInUrl(getFetchUrl());
+    }
+
     /**
      * @return the URL used to push to the upstream repository
      */
     public String getPushUrl() {
         return getUrl(pushInfo);
     }
 
+    /**
+     * @return the URL to push to with masked password used for logging purposes only
+     */
+    public String getPushUrlWithMaskedPassword() {
+        return GitUtil.maskPasswordInUrl(getPushUrl());
+    }
+
     /**
      * Parse the given url string and store all the extracted
      * information in a {@code RepositoryUrl}
@@ -385,6 +400,7 @@ private String parseHostAndPort(RepositoryUrl repoUrl, String url) throws ScmExc
     /**
      * {@inheritDoc}
      */
+    @Override
     public String getRelativePath(ScmProviderRepository ancestor) {
         if (ancestor instanceof GitScmProviderRepository) {
             GitScmProviderRepository gitAncestor = (GitScmProviderRepository) ancestor;
@@ -403,11 +419,15 @@ public String getRelativePath(ScmProviderRepository ancestor) {
     /**
      * {@inheritDoc}
      */
+    @Override
     public String toString() {
         // yes we really like to check if those are the exact same instance!
         if (fetchInfo == pushInfo) {
-            return getUrl(fetchInfo);
+            return getFetchUrlWithMaskedPassword();
         }
-        return URL_DELIMITER_FETCH + getUrl(fetchInfo) + URL_DELIMITER_PUSH + getUrl(pushInfo);
+        return URL_DELIMITER_FETCH
+                + getFetchUrlWithMaskedPassword()
+                + URL_DELIMITER_PUSH
+                + getPushUrlWithMaskedPassword();
     }
 }

maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/main/java/org/apache/maven/scm/provider/git/util/GitUtil.java

@@ -20,21 +20,30 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.maven.scm.providers.gitlib.settings.Settings;
 import org.apache.maven.scm.providers.gitlib.settings.io.xpp3.GitXpp3Reader;
 import org.codehaus.plexus.util.ReaderFactory;
 import org.codehaus.plexus.util.xml.pull.XmlPullParserException;
 
 /**
  * @author <a href="mailto:[email protected]">Emmanuel Venisse</a>
- *
  */
 public class GitUtil {
     protected static final String GIT_SETTINGS_FILENAME = "git-settings.xml";
 
     public static final File DEFAULT_SETTINGS_DIRECTORY = new File(System.getProperty("user.home"), ".scm");
 
+    /** The password placeholder must contain delimiters.
+     *  Otherwise replacing may replace other portions of the URL as well
+     *  and in worst case passwords could be guessed. */
+    public static final String PASSWORD_PLACE_HOLDER_WITH_DELIMITERS = ":********@";
+
+    private static final Pattern PASSWORD_IN_URL_PATTERN = Pattern.compile("^.*(:[^/].*@).*$");
+
     private static File settingsDirectory = DEFAULT_SETTINGS_DIRECTORY;
 
     private static Settings settings;
@@ -77,4 +86,24 @@ public static void setSettingsDirectory(File directory) {
     public static File getSettingsFile() {
         return new File(settingsDirectory, GIT_SETTINGS_FILENAME);
     }
+
+    /**
+     * Provides an anonymous output to mask password. Considering URL of type :
+     * &lt;&lt;protocol&gt;&gt;://&lt;&lt;user&gt;&gt;:&lt;&lt;password&gt;&gt;@
+     * &lt;&lt;host_definition&gt;&gt;
+     *
+     * @param urlWithCredentials
+     * @return urlWithCredentials but password masked with stars
+     */
+    public static String maskPasswordInUrl(String urlWithCredentials) {
+        String output = urlWithCredentials;
+        final Matcher passwordMatcher = PASSWORD_IN_URL_PATTERN.matcher(output);
+        if (passwordMatcher.find()) {
+            // clear password with delimiters
+            final String clearPasswordWithDelimiters = passwordMatcher.group(1);
+            // to be replaced in output by stars with delimiters
+            output = StringUtils.replace(output, clearPasswordWithDelimiters, PASSWORD_PLACE_HOLDER_WITH_DELIMITERS);
+        }
+        return output;
+    }
 }

maven-scm-providers/maven-scm-providers-git/maven-scm-provider-git-commons/src/test/java/org/apache/maven/scm/provider/git/repository/GitScmProviderRepositoryTest.java

@@ -126,7 +126,7 @@ public void testLegalHttpURLWithUser() throws Exception {
     public void testLegalHttpURLWithUserPassword() throws Exception {
         testUrl(
                 "scm:git:http://user:[email protected]",
-                null,
+                "http://user:********@gitrepos.apache.org",
                 "http://user:[email protected]",
                 null,
                 "user",
@@ -174,7 +174,7 @@ public void testLegalHttpsURLWithUser() throws Exception {
     public void testLegalHttpsURLWithUserPassword() throws Exception {
         testUrl(
                 "scm:git:https://user:[email protected]",
-                null,
+                "https://user:********@gitrepos.apache.org",
                 "https://user:[email protected]",
                 null,
                 "user",
@@ -202,7 +202,7 @@ public void testLegalSshURLWithUser() throws Exception {
     public void testLegalSshURLWithUserPassword() throws Exception {
         testUrl(
                 "scm:git:ssh://user:[email protected]",
-                null,
+                "ssh://user:********@gitrepos.apache.org",
                 "ssh://user:[email protected]",
                 null,
                 "user",
@@ -289,12 +289,12 @@ public void testGitDevUrlWithNumberedRepoAndMinus() throws Exception, ScmReposit
     public void testSpecialCharacters() throws Exception {
         testUrl(
                 "scm:git:http://gitrepos.apache.org",
-                "@_&_:_?_#_%20",
+                "/_@_&_:_?_#_%20",
                 "pass word",
                 null,
                 "http://gitrepos.apache.org",
                 null,
-                "http://%40_&_:_%3F_%23_%2520:pass%[email protected]",
+                "http://%2F_%40_&_:_%3F_%23_%2520:pass%[email protected]",
                 null,
                 "gitrepos.apache.org",
                 0,
@@ -303,11 +303,11 @@ public void testSpecialCharacters() throws Exception {
         testUrl(
                 "scm:git:http://gitrepos.apache.org",
                 "user name",
-                "@_&_:_?_#_%20",
+                "/_@_&_:_?_#_%20",
                 null,
                 "http://gitrepos.apache.org",
                 null,
-                "http://user%20name:%40_&_:_%3F_%23_%[email protected]",
+                "http://user%20name:%2F_%40_&_:_%3F_%23_%[email protected]",
                 null,
                 "gitrepos.apache.org",
                 0,
@@ -362,7 +362,7 @@ public void testLegalGitPortUrl() throws Exception {
 
         testUrl(
                 "scm:git:ssh://username:[email protected]/pmgt/trunk",
-                null,
+                "ssh://username:********@gitrepos.apache.org/pmgt/trunk",
                 "ssh://username:[email protected]/pmgt/trunk",
                 null,
                 "username",
@@ -376,7 +376,7 @@ public void testLegalGitPortUrl() throws Exception {
     public void testUsernameWithAtAndPasswordInUrl() throws ScmRepositoryException, Exception {
         testUrl(
                 "scm:git:http://[email protected]:[email protected]:8800/pmgt/trunk",
-                null,
+                "http://username%40site.com:********@gitrepos.apache.org:8800/pmgt/trunk",
                 "http://username%40site.com:[email protected]:8800/pmgt/trunk",
                 null,
                 "[email protected]",
@@ -394,7 +394,7 @@ public void testUsernameWithAtAndPasswordInUrl() throws ScmRepositoryException,
     public void testHttpFetchSshPushUrl() throws Exception {
         testUrl(
                 "scm:git:[fetch=]http://git.apache.org/myprj.git[push=]ssh://myuser:[email protected]/~/myrepo/myprj.git",
-                "[fetch=]http://myuser:mypassword@git.apache.org/myprj.git[push=]ssh://myuser:mypassword@git.apache.org/~/myrepo/myprj.git",
+                "[fetch=]http://myuser:********@git.apache.org/myprj.git[push=]ssh://myuser:********@git.apache.org/~/myrepo/myprj.git",
                 "http://myuser:[email protected]/myprj.git",
                 "ssh://myuser:[email protected]/~/myrepo/myprj.git",
                 "myuser",
@@ -405,7 +405,7 @@ public void testHttpFetchSshPushUrl() throws Exception {
 
         testUrl(
                 "scm:git:[push=]ssh://myuser:[email protected]/~/myrepo/myprj.git[fetch=]http://git.apache.org/myprj.git",
-                "[fetch=]http://myuser:mypassword@git.apache.org/myprj.git[push=]ssh://myuser:mypassword@git.apache.org/~/myrepo/myprj.git",
+                "[fetch=]http://myuser:********@git.apache.org/myprj.git[push=]ssh://myuser:********@git.apache.org/~/myrepo/myprj.git",
                 "http://myuser:[email protected]/myprj.git",
                 "ssh://myuser:[email protected]/~/myrepo/myprj.git",
                 "myuser",

maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/AnonymousCommandLine.java

@@ -18,9 +18,7 @@
  */
 package org.apache.maven.scm.provider.git.gitexe.command;
 
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
+import org.apache.maven.scm.provider.git.util.GitUtil;
 import org.codehaus.plexus.util.cli.Commandline;
 
 /**
@@ -29,25 +27,14 @@
  */
 public class AnonymousCommandLine extends Commandline {
 
-    public static final String PASSWORD_PLACE_HOLDER = "********";
-
-    private Pattern passwordPattern = Pattern.compile("^.*:(.*)@.*$");
-
     /**
      * Provides an anonymous output to mask password. Considering URL of type :
      * <<protocol>>://<<user>>:<<password>>@
      * <<host_definition>>
      */
     @Override
     public String toString() {
-        String output = super.toString();
-        final Matcher passwordMatcher = passwordPattern.matcher(output);
-        if (passwordMatcher.find()) {
-            // clear password
-            final String clearPassword = passwordMatcher.group(1);
-            // to be replaced in output by stars
-            output = output.replace(clearPassword, PASSWORD_PLACE_HOLDER);
-        }
+        String output = GitUtil.maskPasswordInUrl(super.toString());
         return output;
     }
 }

maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/remoteinfo/GitRemoteInfoCommand.java

@@ -56,7 +56,7 @@ public RemoteInfoScmResult executeRemoteInfoCommand(
 
         int exitCode = GitCommandLineUtils.execute(clLsRemote, consumer, stderr);
         if (exitCode != 0) {
-            throw new ScmException("unable to execute ls-remote on " + gitRepository.getFetchUrl());
+            throw new ScmException("unable to execute ls-remote on " + gitRepository.getFetchUrlWithMaskedPassword());
         }
 
         return consumer.getRemoteInfoScmResult();

maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/test/java/org/apache/maven/scm/provider/git/gitexe/command/GitCommandLineUtilsTest.java

@@ -28,6 +28,7 @@
 
 import org.apache.maven.scm.ScmException;
 import org.apache.maven.scm.provider.git.repository.GitScmProviderRepository;
+import org.apache.maven.scm.provider.git.util.GitUtil;
 import org.codehaus.plexus.util.Os;
 import org.codehaus.plexus.util.cli.Commandline;
 import org.junit.Test;
@@ -91,13 +92,13 @@ public void testPasswordAnonymous() throws Exception {
             assertFalse(
                     MessageFormat.format(
                             "The target log message should not contain <{0}> but it contains <{1}>",
-                            AnonymousCommandLine.PASSWORD_PLACE_HOLDER, commandLineArgs[i]),
-                    commandLineArgs[i].contains(AnonymousCommandLine.PASSWORD_PLACE_HOLDER));
+                            GitUtil.PASSWORD_PLACE_HOLDER_WITH_DELIMITERS, commandLineArgs[i]),
+                    commandLineArgs[i].contains(GitUtil.PASSWORD_PLACE_HOLDER_WITH_DELIMITERS));
         }
 
-        final String scmUrlFakeForTest = "https://user:"
-                .concat(AnonymousCommandLine.PASSWORD_PLACE_HOLDER)
-                .concat("@foo.com/git/trunk");
+        final String scmUrlFakeForTest = "https://user"
+                .concat(GitUtil.PASSWORD_PLACE_HOLDER_WITH_DELIMITERS)
+                .concat("foo.com/git/trunk");
 
         assertTrue(
                 MessageFormat.format(

maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java

@@ -20,8 +20,6 @@
 
 import java.io.File;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Date;
@@ -132,28 +130,16 @@ public static ProgressMonitor getMonitor() {
      * @param git        the instance to configure (only in memory, not saved)
      * @param repository the repo config to be used
      * @return {@link CredentialsProvider} in case there are credentials
-     *         informations configured in the repository.
+     * informations configured in the repository.
      */
     public static CredentialsProvider prepareSession(Git git, GitScmProviderRepository repository) {
         StoredConfig config = git.getRepository().getConfig();
         config.setString("remote", "origin", "url", repository.getFetchUrl());
         config.setString("remote", "origin", "pushURL", repository.getPushUrl());
 
         // make sure we do not log any passwords to the output
-        String password = StringUtils.isNotBlank(repository.getPassword())
-                ? repository.getPassword().trim()
-                : "no-pwd-defined";
-        // if password contains special characters it won't match below.
-        // Try encoding before match. (Passwords without will be unaffected)
-        try {
-            password = URLEncoder.encode(password, "UTF-8");
-        } catch (UnsupportedEncodingException e) {
-            // UTF-8 should be valid
-            // TODO use a logger
-            System.out.println("Ignore UnsupportedEncodingException when trying to encode password");
-        }
-        LOGGER.info("fetch url: " + repository.getFetchUrl().replace(password, "******"));
-        LOGGER.info("push url: " + repository.getPushUrl().replace(password, "******"));
+        LOGGER.info("fetch url: " + repository.getFetchUrlWithMaskedPassword());
+        LOGGER.info("push url: " + repository.getPushUrlWithMaskedPassword());
         return getCredentials(repository);
     }