Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18610

Raw proxy errors on URL encoded space and plus (+) characters

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.11.0, 3.15.0, 3.17.0, 3.19.0, 3.28.0, 3.29.0
    • Fix Version/s: 3.30.0
    • Component/s: Raw
    • Labels:
    • Environment:
      Chrome MacOSX
    • Notability:
      3

      Description

      Scenario 1

      I uploaded a file ticket%20list.txt to a raw hosted repo.

      The following call works: http://localhost:8081/repository/rawhosted1/ticket%20list.txt

      I created a proxy of this hosted repo.

      The following call fails with an error 400: http://localhost:8081/repository/rawproxy/ticket%20list.txt

      Credit to: https://stackoverflow.com/questions/53412043/nexus-3-raw-proxy-repository-fails-for-url-containing

      Scenario 2

      So this returns 200 OK:
      https://download.pytorch.org/whl/cpu/torch-1.2.0%2Bcpu-cp36-cp36m-win_amd64.whl

      and this returns 403:
      https://download.pytorch.org/whl/cpu/torch-1.2.0+cpu-cp36-cp36m-win_amd64.whl

      Create a RAW proxy repo pytorch with remote URL of https://download.pytorch.org/whl/cpu/

      Send this inbound request to NXRM:

      http://localhost:8081/repository/pytorch/torch-1.2.0%2Bcpu-cp36-cp36m-win_amd64.whl

      NXRM sends this outbound and it does not work as expected:

      2019-11-26 09:20:47,302-0500 DEBUG [qtp1142970879-6962] myuser org.sonatype.nexus.httpclient.outbound - https://download.pytorch.org/whl/cpu/torch-1.2.0+cpu-cp36-cp36m-win_amd64.whl > GET /whl/cpu/torch-1.2.0+cpu-cp36-cp36m-win_amd64.whl HTTP/1.1
      2019-11-26 09:20:47,557-0500 DEBUG [qtp1142970879-6962] myuser org.sonatype.nexus.httpclient.outbound - https://download.pytorch.org/whl/cpu/torch-1.2.0+cpu-cp36-cp36m-win_amd64.whl < HTTP/1.1 403 Forbidden @ 255.2 ms

      Expected

      The bug is NXRM should not be decoding %2B to literal "+", but instead should be passing %2B along directly to the remote server as it receives it. Literal "+" can be interpreted as an encoded space character on some servers and is a completely different URL.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mshevelov Mykyta Shevelov
              Reporter:
              jtom Joe Tom
              Last Updated By:
              Rich Seddon Rich Seddon
              Votes:
              6 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title