[SCM-1028] Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure

[jira-importer]

Markus Hoffrogge opened SCM-1028 and commented

Issue(s):

1. {}JGit provider{}: If the git password contains special characters which are differently encoded by the URI class than {}by URLEncode.encode{}, then the password masking does not become effective and the password is logged in clear URI encoded format by the jgit provider.
2. {}Gitexe remoteinfo{}: In case ls-remote is failing, then a ScmException is being thrown with the fetch URL passed as error message containing the URI encoded clear password.

Root cause(s):

1. The URL encoding used for the credentials within fetch and push URL differs from the encoding being used for masking the password at JGitUtils.prepareSession(...)
2. Password is not masked for the exception message passed to the ScmException used at GitRemoteInfoCommand.executeRemoteInfoCommand(...)

Solution:

PR #237

---

Affects: 2.1.0

Remote Links:

• GitHub Pull Request #237
  
• GitHub Pull Request #244
  

[jira-importer]

Michael Osipov commented

https://www.ietf.org/rfc/rfc3986.html#section-3.2.1

[jira-importer]

Markus Hoffrogge commented

Michael Osipov - is there anything to be done from my end getting this moved forward. Did comment on any comment of your request for changes on the GitHub PR. Please have a look and let me know your answers.
Kind regards Markus

[jira-importer]

Michael Osipov commented

Haven't found the time yet. Hope to find this month .

[jira-importer]

Michael Osipov commented

Fixed with 8b44e4f6745e7bd677428be093921267317b8fe8.