[JIRA] Created: (HUDSON-8524) maven release build exposes users' username and password
Locked
[JIRA] Created: (HUDSON-8524) maven release build exposes users' username and password
 
Administrator
|
maven release build exposes users' username and password
-------------------------------------------------------- Key: HUDSON-8524 URL: http://issues.hudson-ci.org/browse/HUDSON-8524 Project: Hudson Issue Type: Bug Components: m2release Affects Versions: current Environment: Aplies for all versions so for and other OS's. System info: Tomcat 5.5 file.encoding UTF-8 file.encoding.pkg sun.io file.separator / java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.version 50.0 java.naming.factory.initial org.apache.naming.java.javaURLContextFactory java.naming.factory.url.pkgs org.apache.naming java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 1.6.0_16-b01 java.specification.name Java Platform API Specification java.specification.vendor Sun Microsystems Inc. java.specification.version 1.6 java.util.logging.manager org.apache.juli.ClassLoaderLogManager java.vendor Sun Microsystems Inc. java.vendor.url http://java.sun.com/ java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi java.version 1.6.0_16 java.vm.info mixed mode java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Sun Microsystems Inc. java.vm.specification.version 1.0 java.vm.vendor Sun Microsystems Inc. java.vm.version 14.2-b01 line.separator os.arch amd64 os.name Linux os.version 2.6.28-11-server sun.arch.data.model 64 sun.cpu.endian little sun.cpu.isalist sun.io.unicode.encoding UnicodeLittle sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Server Compiler sun.os.patch.level unknown svnkit.ssh2.persistent false tomcat.util.buf.StringCache.byte.enabled true user.country US user.language en user.name hudson user.timezone Europe/Amsterdam Reporter: whermeling Assignee: teilo When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build. So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build. A workaround could be to mask these credentials in the 'Goals and options' fields. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.hudson-ci.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira |
[JIRA] Commented: (HUDSON-8524) maven release build exposes users' username and password
|
Administrator
|
[ http://issues.hudson-ci.org/browse/HUDSON-8524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145030#action_145030 ] teilo commented on HUDSON-8524: ------------------------------- regardless of how this is done, if you can configure the job and perform releases you can get this information. Just change the release goals to run a mojo that dumps the system variables - such as help:system and then perform a release. If this is important to you I would suggest you have a different job that only performs release builds and normal users have no access to it. > maven release build exposes users' username and password > -------------------------------------------------------- > > Key: HUDSON-8524 > URL: http://issues.hudson-ci.org/browse/HUDSON-8524 > Project: Hudson > Issue Type: Bug > Components: m2release > Affects Versions: current > Environment: Aplies for all versions so for and other OS's. > System info: > Tomcat 5.5 > file.encoding UTF-8 > file.encoding.pkg sun.io > file.separator / > java.awt.graphicsenv sun.awt.X11GraphicsEnvironment > java.awt.headless true > java.awt.printerjob sun.print.PSPrinterJob > java.class.version 50.0 > java.naming.factory.initial org.apache.naming.java.javaURLContextFactory > java.naming.factory.url.pkgs org.apache.naming > java.runtime.name Java(TM) SE Runtime Environment > java.runtime.version 1.6.0_16-b01 > java.specification.name Java Platform API Specification > java.specification.vendor Sun Microsystems Inc. > java.specification.version 1.6 > java.util.logging.manager org.apache.juli.ClassLoaderLogManager > java.vendor Sun Microsystems Inc. > java.vendor.url http://java.sun.com/ > java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi > java.version 1.6.0_16 > java.vm.info mixed mode > java.vm.name Java HotSpot(TM) 64-Bit Server VM > java.vm.specification.name Java Virtual Machine Specification > java.vm.specification.vendor Sun Microsystems Inc. > java.vm.specification.version 1.0 > java.vm.vendor Sun Microsystems Inc. > java.vm.version 14.2-b01 > line.separator > os.arch amd64 > os.name Linux > os.version 2.6.28-11-server > sun.arch.data.model 64 > sun.cpu.endian little > sun.cpu.isalist > sun.io.unicode.encoding UnicodeLittle > sun.jnu.encoding UTF-8 > sun.management.compiler HotSpot 64-Bit Server Compiler > sun.os.patch.level unknown > svnkit.ssh2.persistent false > tomcat.util.buf.StringCache.byte.enabled true > user.country US > user.language en > user.name hudson > user.timezone Europe/Amsterdam > Reporter: whermeling > Assignee: teilo > > When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build. > So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform > It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build. > A workaround could be to mask these credentials in the 'Goals and options' fields. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.hudson-ci.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira |
[JIRA] Commented: (HUDSON-8524) maven release build exposes users' username and password
|
Administrator
|
In reply to this post by Kohsuke Kawaguchi
[ http://issues.hudson-ci.org/browse/HUDSON-8524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145095#action_145095 ] whermeling commented on HUDSON-8524: ------------------------------------ I disagree. If i perform a release using the m2 release plugin and fill in a username and password (and the UI masks the password as it should), then i do not expect to have the password show up (and certainly not in plain text) when somebody looks at the job configuration by coïncident. Creating a different job is a bad solution because: A) this would require an additional job for every build plan in our Hudson instance and B) everybody is able to perform release in our organization, but they should do so by supplying their own username and password (which in our case are single sign credentials for a lot of systems). The fact the somebody could get this information via different ways is a bad argument IMO. We run release jobs without help:system and people running the job can check which goals are executed in advance (they are all able to view the job configuration). PS: It would be a nice addition if the configured release goals would be displayed in the screen where you can perform the maven release. > maven release build exposes users' username and password > -------------------------------------------------------- > > Key: HUDSON-8524 > URL: http://issues.hudson-ci.org/browse/HUDSON-8524 > Project: Hudson > Issue Type: Bug > Components: m2release > Affects Versions: current > Environment: Aplies for all versions so for and other OS's. > System info: > Tomcat 5.5 > file.encoding UTF-8 > file.encoding.pkg sun.io > file.separator / > java.awt.graphicsenv sun.awt.X11GraphicsEnvironment > java.awt.headless true > java.awt.printerjob sun.print.PSPrinterJob > java.class.version 50.0 > java.naming.factory.initial org.apache.naming.java.javaURLContextFactory > java.naming.factory.url.pkgs org.apache.naming > java.runtime.name Java(TM) SE Runtime Environment > java.runtime.version 1.6.0_16-b01 > java.specification.name Java Platform API Specification > java.specification.vendor Sun Microsystems Inc. > java.specification.version 1.6 > java.util.logging.manager org.apache.juli.ClassLoaderLogManager > java.vendor Sun Microsystems Inc. > java.vendor.url http://java.sun.com/ > java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi > java.version 1.6.0_16 > java.vm.info mixed mode > java.vm.name Java HotSpot(TM) 64-Bit Server VM > java.vm.specification.name Java Virtual Machine Specification > java.vm.specification.vendor Sun Microsystems Inc. > java.vm.specification.version 1.0 > java.vm.vendor Sun Microsystems Inc. > java.vm.version 14.2-b01 > line.separator > os.arch amd64 > os.name Linux > os.version 2.6.28-11-server > sun.arch.data.model 64 > sun.cpu.endian little > sun.cpu.isalist > sun.io.unicode.encoding UnicodeLittle > sun.jnu.encoding UTF-8 > sun.management.compiler HotSpot 64-Bit Server Compiler > sun.os.patch.level unknown > svnkit.ssh2.persistent false > tomcat.util.buf.StringCache.byte.enabled true > user.country US > user.language en > user.name hudson > user.timezone Europe/Amsterdam > Reporter: whermeling > Assignee: teilo > > When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build. > So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform > It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build. > A workaround could be to mask these credentials in the 'Goals and options' fields. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.hudson-ci.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira |
[JIRA] Commented: (HUDSON-8524) maven release build exposes users' username and password
|
Administrator
|
In reply to this post by Kohsuke Kawaguchi
[ http://issues.hudson-ci.org/browse/HUDSON-8524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145124#action_145124 ] pmdubik commented on HUDSON-8524: --------------------------------- I agree with teilo, the password appears with ****** when you input it in the release Task then it is in clear in the build > Goals and options. So unless you configure Rights on specific builds anyone can use your SVN /CVS account. > maven release build exposes users' username and password > -------------------------------------------------------- > > Key: HUDSON-8524 > URL: http://issues.hudson-ci.org/browse/HUDSON-8524 > Project: Hudson > Issue Type: Bug > Components: m2release > Affects Versions: current > Environment: Aplies for all versions so for and other OS's. > System info: > Tomcat 5.5 > file.encoding UTF-8 > file.encoding.pkg sun.io > file.separator / > java.awt.graphicsenv sun.awt.X11GraphicsEnvironment > java.awt.headless true > java.awt.printerjob sun.print.PSPrinterJob > java.class.version 50.0 > java.naming.factory.initial org.apache.naming.java.javaURLContextFactory > java.naming.factory.url.pkgs org.apache.naming > java.runtime.name Java(TM) SE Runtime Environment > java.runtime.version 1.6.0_16-b01 > java.specification.name Java Platform API Specification > java.specification.vendor Sun Microsystems Inc. > java.specification.version 1.6 > java.util.logging.manager org.apache.juli.ClassLoaderLogManager > java.vendor Sun Microsystems Inc. > java.vendor.url http://java.sun.com/ > java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi > java.version 1.6.0_16 > java.vm.info mixed mode > java.vm.name Java HotSpot(TM) 64-Bit Server VM > java.vm.specification.name Java Virtual Machine Specification > java.vm.specification.vendor Sun Microsystems Inc. > java.vm.specification.version 1.0 > java.vm.vendor Sun Microsystems Inc. > java.vm.version 14.2-b01 > line.separator > os.arch amd64 > os.name Linux > os.version 2.6.28-11-server > sun.arch.data.model 64 > sun.cpu.endian little > sun.cpu.isalist > sun.io.unicode.encoding UnicodeLittle > sun.jnu.encoding UTF-8 > sun.management.compiler HotSpot 64-Bit Server Compiler > sun.os.patch.level unknown > svnkit.ssh2.persistent false > tomcat.util.buf.StringCache.byte.enabled true > user.country US > user.language en > user.name hudson > user.timezone Europe/Amsterdam > Reporter: whermeling > Assignee: teilo > > When you specify a custom username and password to be used in a maven release build (using the option 'Specify SCM login/password'), the filled in username and password can be read by anyone who can Configure the build. If you run a release build and then, while it is still runnning, you configure the build plan, the see that the 'Goals and options' have changed to the one which are currently used for the release build. > So in my case this then shows: -Dpassword=*** -Dusername=*** -Dproject.rel.<groupId>:<artifactId>=<release-version> -Dproject.dev.<groupId>:<artifactId>=<development-version> -Dresume=false release:prepare release:perform > It seems the m2 release plugin is using the 'Goals and options' field to manage the parameters the release build. > A workaround could be to mask these credentials in the 'Goals and options' fields. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.hudson-ci.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira |
«
Return to Jenkins issues
|
1 view|%1 views
| Free forum by Nabble | Edit this page |