Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-12391

Nexus OSS Bower Repository Mapping JSON File HTTPS URL Exposes Credentials

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Won't Fix
    • Minor
    • None
    • 3.0.1
    • Bower
    • None

    Description

      I'm using Nexus OSS 3.0.1-01. I have a Bower repository. If I use an HTTPS URL with credentials in it they get exposed in the <package_name>/mapping.json file. Also an HTTPS GIT URL without credentials attempts to register a different package than an HTTPS GIT URL with the credentials.

      I would propose that Nexus takes the credentials out of the HTTPS GIT URLs when putting them into the mapping.json file. Also, I would propose that an HTTPS GIT URL with or without out credentials in it should evaluate to the same Bower package.

      The mapping.json file looks like:

      {"name":"package_name","url":"https://github.com/blah/blah.git"}
or
{"name":"package_name","url":"https://username:password@github.com/blah/blah.git"}

      Example bower register command:

      bower register package_name https://github.com/blah/blah.git
or
bower register package_name https://username:password@github.com/blah/blah.git

      I'm happy to give more information if necessary. Thanks for considering.

      Attachments

        Activity

          People

            Unassigned Unassigned
            aboutin Andrew Boutin
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              tigCommentSecurity.panel-title