Fix IllegalArgumentException when credentials contain $ or \#18
Merged
headius merged 1 commit intojruby:masterfrom Mar 27, 2026
Merged
Conversation
The withAuthentication() method uses String.replaceFirst() to inject credentials into the repository URL. The credentials string is used directly as the replacement argument, but in Java regex replacements $ and \ are special characters (group references and escape sequences). If a password contains $ (e.g. "pa$$word"), replaceFirst() throws java.lang.IllegalArgumentException: Illegal group reference. Fix: wrap credentials with Matcher.quoteReplacement() to escape any regex-special characters before using them in the replacement string. Made-with: Cursor
rkoretskiy-cloudlinux
force-pushed
the
fix/quote-credentials-in-replaceFirst
branch
from
a2e65d8 to
3ed33fe
Compare
Member
|
It would be excellent if you could come up with a test case for this, but I'll merge and get something released to avoid blocking you. |
Member
|
mavengem 2.0.3 has been released! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
MavenGemWagon.withAuthentication()injects server credentials into the repository URL usingString.replaceFirst():In Java regex replacements,
$denotes a group reference ($1,$2) and\is an escape character. If a password contains these characters (e.g.pa$$word),replaceFirst()throws:This breaks any setup where:
settings.xmldefines a<server>with credentials for a mavengem mirror$(very common in generated passwords) or\Fix
Wrap the credentials string with
Matcher.quoteReplacement()before passing it toreplaceFirst(). This escapes$and\so they are treated as literals in the replacement string, while keeping the group references$1and$2functional for the URL parts.Context
We discovered this while setting up a Maven mirror for rubygems in a corporate environment (Sonatype Nexus). The
settings.xmldefines a<server>block with Nexus credentials for the mavengem mirror, and the service account password contains$.Made with Cursor