Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-12391

Nexus OSS Bower Repository Mapping JSON File HTTPS URL Exposes Credentials

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.1
    • Fix Version/s: None
    • Component/s: Bower
    • Labels:
      None

      Description

      I'm using Nexus OSS 3.0.1-01. I have a Bower repository. If I use an HTTPS URL with credentials in it they get exposed in the <package_name>/mapping.json file. Also an HTTPS GIT URL without credentials attempts to register a different package than an HTTPS GIT URL with the credentials.

      I would propose that Nexus takes the credentials out of the HTTPS GIT URLs when putting them into the mapping.json file. Also, I would propose that an HTTPS GIT URL with or without out credentials in it should evaluate to the same Bower package.

      The mapping.json file looks like:

      {"name":"package_name","url":"https://github.com/blah/blah.git"}
      or
      {"name":"package_name","url":"https://username:password@github.com/blah/blah.git"}
      

      Example bower register command:

      bower register package_name https://github.com/blah/blah.git
      or
      bower register package_name https://username:password@github.com/blah/blah.git
      

      I'm happy to give more information if necessary. Thanks for considering.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            aboutin Andrew Boutin
            Last Updated By:
            Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title