Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14781

Maven Release Plugin performs build without goals

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • m2release-plugin
    • None

      Steps:

      1. Perform maven release plugin
      2. Specify SCM Credentials with " in password
      3. Schedule maven release

      Results:
      In logs I see:

      Executing Maven:  -B -f c:\opt\Jenkins\jobs\project-ci\workspace\pom.xml -DdevelopmentVersion=4.4.005-SNAPSHOT -DreleaseVersion=4.4.004 -Dusername=user -Dpassword=*********
      ....
      No goals have been specified for this build. You must specify a valid lifecycle phase or a goal

      Build fails.

      Expected results:
      Release goals are passed in maven during release.

          [JENKINS-14781] Maven Release Plugin performs build without goals

          Mircea D added a comment -

          It's the same thing for the ^ (batch escape character).

          Mircea D added a comment - It's the same thing for the ^ (batch escape character).

          Michael Rumpf added a comment -

          Also the '$' causes trouble.

          Michael Rumpf added a comment - Also the '$' causes trouble.

          René Sonntag added a comment -

          We also have an user with '$' in his password. He is not able to do anything ...

          René Sonntag added a comment - We also have an user with '$' in his password. He is not able to do anything ...

          Devon Miller added a comment -

          This is also an issue if the password contains quote characters. For example:

          • It's happy time
          • Knights who say "Ni!"

          Devon Miller added a comment - This is also an issue if the password contains quote characters. For example: It's happy time Knights who say "Ni!"

          Michael Grafl added a comment -

          As a hacky workaround, the password can be surrounded by quotes in the input field, for example:

          • 'password with "double quotes"'
          • "It's time to fix this critical bug after more than 4 years!!"

          To make things worse, this bug allows for injection of arbitrary parameters into the mvn command that executes the release goals.

          Michael Grafl added a comment - As a hacky workaround, the password can be surrounded by quotes in the input field, for example: 'password with "double quotes"' "It's time to fix this critical bug after more than 4 years!!" To make things worse, this bug allows for injection of arbitrary parameters into the mvn command that executes the release goals.

          René Sonntag added a comment -

          Setting password in double quote works not properly.

          We just use this creepy workaround:

          <!-- escape given password -->
          <php function="str_replace" returnProperty="escaped_passwd"><param value="\"/><param value="
          "/><param value="${env.svnpassword}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="("/><param value="("/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value=")"/><param value=")"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="@"/><param value="@"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="^"/><param value="^"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="$"/><param value="\$"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="["/><param value="["/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="]"/><param value="]"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="{"/><param value="{"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="}"/><param value="}"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="/"/><param value="\/"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="%"/><param value="%"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="|"/><param value="|"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="°"/><param value="\°"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="§"/><param value="\§"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="!"/><param value="!"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="?"/><param value="?"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="`"/><param value="\`"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="´"/><param value="\´"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="*"/><param value="*"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="+"/><param value="+"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="~"/><param value="~"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="#"/><param value="#"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="-"/><param value="-"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="_"/><param value="_"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="<"/><param value="\<"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value=">"/><param value="\>"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="&"/><param value="\&"/><param value="${escaped_passwd}"/></php>
          <php function='str_replace' returnProperty='escaped_passwd'><param value='"'/><param value='\"'/><param value='${escaped_passwd}'/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="'"/><param value="\'"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value=","/><param value="\,"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value=";"/><param value="\;"/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value="."/><param value="\."/><param value="${escaped_passwd}"/></php>
          <php function="str_replace" returnProperty="escaped_passwd"><param value=":"/><param value="\:"/><param value="${escaped_passwd}"/></php>

          René Sonntag added a comment - Setting password in double quote works not properly. We just use this creepy workaround: <!-- escape given password --> <php function="str_replace" returnProperty="escaped_passwd"><param value="\"/><param value=" "/><param value="${env.svnpassword}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="("/><param value="("/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value=")"/><param value=")"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="@"/><param value="@"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="^"/><param value="^"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="$"/><param value="\$"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="["/><param value="["/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="]"/><param value="]"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="{"/><param value="{"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="}"/><param value="}"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="/"/><param value="\/"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="%"/><param value="%"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="|"/><param value="|"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="°"/><param value="\°"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="§"/><param value="\§"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="!"/><param value="!"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="?"/><param value="?"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="`"/><param value="\`"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="´"/><param value="\´"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="*"/><param value="*"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="+"/><param value="+"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="~"/><param value="~"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="#"/><param value="#"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="-"/><param value="-"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="_"/><param value="_"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="<"/><param value="\<"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value=">"/><param value="\>"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="&"/><param value="\&"/><param value="${escaped_passwd}"/></php> <php function='str_replace' returnProperty='escaped_passwd'><param value='"'/><param value='\"'/><param value='${escaped_passwd}'/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="'"/><param value="\'"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value=","/><param value="\,"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value=";"/><param value="\;"/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value="."/><param value="\."/><param value="${escaped_passwd}"/></php> <php function="str_replace" returnProperty="escaped_passwd"><param value=":"/><param value="\:"/><param value="${escaped_passwd}"/></php>

          James Nord added a comment -

          @mgrafl

          "It's time to fix this critical bug after more than 4 years!!"

          So we should expect a pill request with unit tests that has been verified on Linux/unix and windows platforms shortly then?

          James Nord added a comment - @mgrafl "It's time to fix this critical bug after more than 4 years!!" So we should expect a pill request with unit tests that has been verified on Linux/unix and windows platforms shortly then?

          James Nord added a comment -

          Oh and quotes probably don't work if the last character is a backslash \

          Some characters may only need escaping deepending on the underlying shell. And double quotes don't work if the password contains a single double quote. I and single quotes don't work if the password contains a single single quote...

          Right now this needs a better fix in the underlying maven plugin, I even then the way that maven passes the password to sub shells may not work even if it is quoted correctly to begin with. In reality use a password without shell unsafe characters like space backslash single and double quotes and percent.

          James Nord added a comment - Oh and quotes probably don't work if the last character is a backslash \ Some characters may only need escaping deepending on the underlying shell. And double quotes don't work if the password contains a single double quote. I and single quotes don't work if the password contains a single single quote... Right now this needs a better fix in the underlying maven plugin, I even then the way that maven passes the password to sub shells may not work even if it is quoted correctly to begin with. In reality use a password without shell unsafe characters like space backslash single and double quotes and percent.

          Michael Grafl added a comment -

          Escaping quotes for Linux is no rocket science: http://stackoverflow.com/a/1250279

          Maybe, it would even be sufficient to surround every argument with single quotes and replace all inner single quote with '"'"', e.g.,

          return "'" + orig.replace("'", "'\"'\"'") + "'";
          

          Michael Grafl added a comment - Escaping quotes for Linux is no rocket science: http://stackoverflow.com/a/1250279 Maybe, it would even be sufficient to surround every argument with single quotes and replace all inner single quote with '"'"' , e.g., return " '" + orig.replace( "' " , " '\" ' \ " '" ) + "' " ;

          James Nord added a comment - - edited

          And on windows.. And how do you know you are running on a windows or Linux slave.... The arguments are finalized before you even creat a task for the queue let alone know what type of slave you may have.

          And that article only talks about a single quote, I doubt it would work with a backslash..

          I still look forward to your fully tested pull request.

          James Nord added a comment - - edited And on windows.. And how do you know you are running on a windows or Linux slave.... The arguments are finalized before you even creat a task for the queue let alone know what type of slave you may have. And that article only talks about a single quote, I doubt it would work with a backslash.. I still look forward to your fully tested pull request.

            Unassigned Unassigned
            jsirex jsirex
            Votes:
            8 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: