[JIRA] Created: (HUDSON-8524) maven release build exposes users' username and password

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[JIRA] Created: (HUDSON-8524) maven release build exposes users' username and password

Kohsuke Kawaguchi
Administrator
maven release build exposes users' username and password
--------------------------------------------------------

                 Key: HUDSON-8524
                 URL: http://issues.hudson-ci.org/browse/HUDSON-8524
             Project: Hudson
          Issue Type: Bug
          Components: m2release
    Affects Versions: current
         Environment: Aplies for all versions so for and other OS's.

System info:
Tomcat 5.5
file.encoding UTF-8
file.encoding.pkg sun.io
file.separator /
java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
java.awt.headless true
java.awt.printerjob sun.print.PSPrinterJob
java.class.version 50.0
java.naming.factory.initial org.apache.naming.java.javaURLContextFactory
java.naming.factory.url.pkgs org.apache.naming
java.runtime.name Java(TM) SE Runtime Environment
java.runtime.version 1.6.0_16-b01
java.specification.name Java Platform API Specification
java.specification.vendor Sun Microsystems Inc.
java.specification.version 1.6
java.util.logging.manager org.apache.juli.ClassLoaderLogManager
java.vendor Sun Microsystems Inc.
java.vendor.url http://java.sun.com/
java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi
java.version 1.6.0_16
java.vm.info mixed mode
java.vm.name Java HotSpot(TM) 64-Bit Server VM
java.vm.specification.name Java Virtual Machine Specification
java.vm.specification.vendor Sun Microsystems Inc.
java.vm.specification.version 1.0
java.vm.vendor Sun Microsystems Inc.
java.vm.version 14.2-b01
line.separator
os.arch amd64
os.name Linux
os.version 2.6.28-11-server
sun.arch.data.model 64
sun.cpu.endian little
sun.cpu.isalist
sun.io.unicode.encoding UnicodeLittle
sun.jnu.encoding UTF-8
sun.management.compiler HotSpot 64-Bit Server Compiler
sun.os.patch.level unknown
svnkit.ssh2.persistent false
tomcat.util.buf.StringCache.byte.enabled true
user.country US
user.language en
user.name hudson
user.timezone Europe/Amsterdam

            Reporter: whermeling
            Assignee: teilo


When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build.

So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform

It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build.

A workaround could be to mask these credentials in the 'Goals and options' fields.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.hudson-ci.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[JIRA] Commented: (HUDSON-8524) maven release build exposes users' username and password

Kohsuke Kawaguchi
Administrator

    [ http://issues.hudson-ci.org/browse/HUDSON-8524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145030#action_145030 ]

teilo commented on HUDSON-8524:
-------------------------------

regardless of how this is done, if you can configure the job and perform releases you can get this information.  

Just change the release goals to run a mojo that dumps the system variables - such as help:system and then perform a release.

If this is important to you I would suggest you have a different job that only performs release builds and normal users have no access to it.

> maven release build exposes users' username and password
> --------------------------------------------------------
>
>                 Key: HUDSON-8524
>                 URL: http://issues.hudson-ci.org/browse/HUDSON-8524
>             Project: Hudson
>          Issue Type: Bug
>          Components: m2release
>    Affects Versions: current
>         Environment: Aplies for all versions so for and other OS's.
> System info:
> Tomcat 5.5
> file.encoding UTF-8
> file.encoding.pkg sun.io
> file.separator /
> java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
> java.awt.headless true
> java.awt.printerjob sun.print.PSPrinterJob
> java.class.version 50.0
> java.naming.factory.initial org.apache.naming.java.javaURLContextFactory
> java.naming.factory.url.pkgs org.apache.naming
> java.runtime.name Java(TM) SE Runtime Environment
> java.runtime.version 1.6.0_16-b01
> java.specification.name Java Platform API Specification
> java.specification.vendor Sun Microsystems Inc.
> java.specification.version 1.6
> java.util.logging.manager org.apache.juli.ClassLoaderLogManager
> java.vendor Sun Microsystems Inc.
> java.vendor.url http://java.sun.com/
> java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi
> java.version 1.6.0_16
> java.vm.info mixed mode
> java.vm.name Java HotSpot(TM) 64-Bit Server VM
> java.vm.specification.name Java Virtual Machine Specification
> java.vm.specification.vendor Sun Microsystems Inc.
> java.vm.specification.version 1.0
> java.vm.vendor Sun Microsystems Inc.
> java.vm.version 14.2-b01
> line.separator
> os.arch amd64
> os.name Linux
> os.version 2.6.28-11-server
> sun.arch.data.model 64
> sun.cpu.endian little
> sun.cpu.isalist
> sun.io.unicode.encoding UnicodeLittle
> sun.jnu.encoding UTF-8
> sun.management.compiler HotSpot 64-Bit Server Compiler
> sun.os.patch.level unknown
> svnkit.ssh2.persistent false
> tomcat.util.buf.StringCache.byte.enabled true
> user.country US
> user.language en
> user.name hudson
> user.timezone Europe/Amsterdam
>            Reporter: whermeling
>            Assignee: teilo
>
> When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build.
> So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform
> It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build.
> A workaround could be to mask these credentials in the 'Goals and options' fields.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.hudson-ci.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
Reply | Threaded
Open this post in threaded view
|

[JIRA] Commented: (HUDSON-8524) maven release build exposes users' username and password

Kohsuke Kawaguchi
Administrator
In reply to this post by Kohsuke Kawaguchi

    [ http://issues.hudson-ci.org/browse/HUDSON-8524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145095#action_145095 ]

whermeling commented on HUDSON-8524:
------------------------------------

I disagree. If i perform a release using the m2 release plugin and fill in a username and password (and the UI masks the password as it should), then i do not expect to have the password show up (and certainly not in plain text) when somebody looks at the job configuration by coïncident.

Creating a different job is a bad solution because:
A) this would require an additional job for every build plan in our Hudson instance and
B) everybody is able to perform release in our organization, but they should do so by supplying their own username and password (which in our case are single sign credentials for a lot of systems).

The fact the somebody could get this information via different ways is a bad argument IMO. We run release jobs without help:system and people running the job can check which goals are executed in advance (they are all able to view the job configuration).

PS: It would be a nice addition if the configured release goals would be displayed in the screen where you can perform the maven release.



> maven release build exposes users' username and password
> --------------------------------------------------------
>
>                 Key: HUDSON-8524
>                 URL: http://issues.hudson-ci.org/browse/HUDSON-8524
>             Project: Hudson
>          Issue Type: Bug
>          Components: m2release
>    Affects Versions: current
>         Environment: Aplies for all versions so for and other OS's.
> System info:
> Tomcat 5.5
> file.encoding UTF-8
> file.encoding.pkg sun.io
> file.separator /
> java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
> java.awt.headless true
> java.awt.printerjob sun.print.PSPrinterJob
> java.class.version 50.0
> java.naming.factory.initial org.apache.naming.java.javaURLContextFactory
> java.naming.factory.url.pkgs org.apache.naming
> java.runtime.name Java(TM) SE Runtime Environment
> java.runtime.version 1.6.0_16-b01
> java.specification.name Java Platform API Specification
> java.specification.vendor Sun Microsystems Inc.
> java.specification.version 1.6
> java.util.logging.manager org.apache.juli.ClassLoaderLogManager
> java.vendor Sun Microsystems Inc.
> java.vendor.url http://java.sun.com/
> java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi
> java.version 1.6.0_16
> java.vm.info mixed mode
> java.vm.name Java HotSpot(TM) 64-Bit Server VM
> java.vm.specification.name Java Virtual Machine Specification
> java.vm.specification.vendor Sun Microsystems Inc.
> java.vm.specification.version 1.0
> java.vm.vendor Sun Microsystems Inc.
> java.vm.version 14.2-b01
> line.separator
> os.arch amd64
> os.name Linux
> os.version 2.6.28-11-server
> sun.arch.data.model 64
> sun.cpu.endian little
> sun.cpu.isalist
> sun.io.unicode.encoding UnicodeLittle
> sun.jnu.encoding UTF-8
> sun.management.compiler HotSpot 64-Bit Server Compiler
> sun.os.patch.level unknown
> svnkit.ssh2.persistent false
> tomcat.util.buf.StringCache.byte.enabled true
> user.country US
> user.language en
> user.name hudson
> user.timezone Europe/Amsterdam
>            Reporter: whermeling
>            Assignee: teilo
>
> When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build.
> So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform
> It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build.
> A workaround could be to mask these credentials in the 'Goals and options' fields.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.hudson-ci.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[JIRA] Commented: (HUDSON-8524) maven release build exposes users' username and password

Kohsuke Kawaguchi
Administrator
In reply to this post by Kohsuke Kawaguchi

    [ http://issues.hudson-ci.org/browse/HUDSON-8524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145124#action_145124 ]

pmdubik commented on HUDSON-8524:
---------------------------------

I agree with teilo, the password appears with ****** when you input it in the release Task then it is in clear in the build > Goals and options.
So unless you configure Rights on specific builds anyone can use your SVN /CVS account.

> maven release build exposes users' username and password
> --------------------------------------------------------
>
>                 Key: HUDSON-8524
>                 URL: http://issues.hudson-ci.org/browse/HUDSON-8524
>             Project: Hudson
>          Issue Type: Bug
>          Components: m2release
>    Affects Versions: current
>         Environment: Aplies for all versions so for and other OS's.
> System info:
> Tomcat 5.5
> file.encoding UTF-8
> file.encoding.pkg sun.io
> file.separator /
> java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
> java.awt.headless true
> java.awt.printerjob sun.print.PSPrinterJob
> java.class.version 50.0
> java.naming.factory.initial org.apache.naming.java.javaURLContextFactory
> java.naming.factory.url.pkgs org.apache.naming
> java.runtime.name Java(TM) SE Runtime Environment
> java.runtime.version 1.6.0_16-b01
> java.specification.name Java Platform API Specification
> java.specification.vendor Sun Microsystems Inc.
> java.specification.version 1.6
> java.util.logging.manager org.apache.juli.ClassLoaderLogManager
> java.vendor Sun Microsystems Inc.
> java.vendor.url http://java.sun.com/
> java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi
> java.version 1.6.0_16
> java.vm.info mixed mode
> java.vm.name Java HotSpot(TM) 64-Bit Server VM
> java.vm.specification.name Java Virtual Machine Specification
> java.vm.specification.vendor Sun Microsystems Inc.
> java.vm.specification.version 1.0
> java.vm.vendor Sun Microsystems Inc.
> java.vm.version 14.2-b01
> line.separator
> os.arch amd64
> os.name Linux
> os.version 2.6.28-11-server
> sun.arch.data.model 64
> sun.cpu.endian little
> sun.cpu.isalist
> sun.io.unicode.encoding UnicodeLittle
> sun.jnu.encoding UTF-8
> sun.management.compiler HotSpot 64-Bit Server Compiler
> sun.os.patch.level unknown
> svnkit.ssh2.persistent false
> tomcat.util.buf.StringCache.byte.enabled true
> user.country US
> user.language en
> user.name hudson
> user.timezone Europe/Amsterdam
>            Reporter: whermeling
>            Assignee: teilo
>
> When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build.
> So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform
> It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build.
> A workaround could be to mask these credentials in the 'Goals and options' fields.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.hudson-ci.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira