Passwords exposed with git.remote.origin.url when HTTPS URIs are userd

[damnhandy]

In my pom.xml I have the following defined in my SCM config:

<properties>
    <project.scm.id>my-git-id</project.scm.id>
</properties>

<url>https://myprivate.git.host/gitrepo</url>
<scm>
    <url>https://myprivate.git.host/gitrepo.git</url>
    <connection>scm:git:https://myprivate.git.host/gitrepo.git</connection>
    <developerConnection>scm:git:https://myprivate.git.host/gitrepo</developerConnection>
</scm>

Note, username and password are not present in the SCM URIs. However, when using the Maven release plugin, the value of the git.remote.origin.url is as follows:

git.remote.origin.url=https://user\:password@myprivate.git.host/gitrepo.git

That value file is being published to our internal Artifactory host. This only seems to be reproducible when running mvn release:prepare followed by mvn release:perform. Oddly, typical goals such as package and install don't include the user info. Additionally, the mvn deploy goal also does not include the user info section in the property. This appears to be related to the Maven Release Plugin somehow, but I do have a PR that fixes this issue with this plugin.

[damnhandy]

I have also created a test case that demonstrates the issue under 2.2.0 here:

https://github.com/damnhandy/maven-publish-issue

You'll need Docker Compose to run it, but clearly demonstrates the issue. The underlying cause is likely the Maven Release plugin, which apparently includes the credentials in the URI but also manages to temporarily overwrite the origin URI to include the username and password. My PR fixes the issue.

[ktoso]

Thanks for noticing this, I'll review now - seems like something we'll want to include and would be enough to cut a release