Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-16317

NuGet group repository package requests may respond with URLs to member repositories

    XMLWordPrintable

    Details

    • Story Points:
      3

      Description

      From: https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/f2f39b37-7d39-45b1-96c1-a9dd5677672f%40glists.sonatype.com?utm_medium=email&utm_source=footer

      I have multiple repositories:
      nuget-dotnet-firstparty
      nuget-dotnet-thirdparty
      nuget-dotnet-generated
      etc
      and a group repository called:
      nuget-dotnet
      which brings all of the above together.

      This is all on the server "DepServer".

      When I try to do a "nuget restore" when the client has access to nuget-dotnet (the group repository) only I get the following:
      WARNING: Error downloading 'MyPackage.1.2.3' from 'https://DepServer:8443/repository/nuget-dotnet-firstparty/MyPackage/1.2.3'.
      The HTTP request to 'GET https://DepServer:8443/repository/nuget-dotnet-firstparty/MyPackage/1.2.3' has timed out after 100000ms

      Now, the client has no references to "nuget-dotnet-firstparty", and so no security access set up for it. But it shouldn't need it, because it has access to the group.

      I couldn't work out why it was that it was having this issue, so I went looking through the information on the server via the nuget protocol. What I found was:

      https://DepServer:8443/repository/nuget-dotnet/
      points to
      https://DepServer:8443/repository/nuget-dotnet/Packages
      Each entry has a link with a title of V2FeedPackage an an href of "Packages(Id='MyPackage',Version='1.2.3')"
      Following one of those URLs shows that a line with - content type="application/zip" and a src of "https://DepServer:8443/repository/nuget-dotnet-firstparty/MyPackage/1.2.3"

      However, as the client has no access to the "nuget-dotnet-firstparty" repository, only to the group repository, that's when the error occurs.

      Expected

      Responses from group requests should only reference urls to the group repo, not group members.

        Attachments

          Activity

            People

            Assignee:
            natemcafee Nate McAfee
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Team:
            NXRM - Cypher
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title