Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18611

configurable header validation

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.14.0
    • Fix Version/s: None
    • Component/s: Transport
    • Labels:
    • Notability:
      4

      Description

      Nexus 3.2.0 added header validation to prevent certain attack vectors, for example making sure the host header contains a value that matches IP addresses, host names and port values, and patterns according to RFC-1123.

      In a customer security conscious environment, it is desirable to restrict NXRM further, to accept an even more stringent set of values.

      Expected

      A Nexus administrator should be able to configure patterns, ideally regex based, that will be used to match against incoming HTTP header values. If a header exists, and the value of the header does not match all of the whitelisted patterns, then the request will be rejected with an error before performing any other processing.

      Any default patterns that NXRM already validates against need not be circumvented, as default patterns Nexus uses are for the protection of the server in general. The improvement is about making validation even more restrictive - for example only allowing a few specific host names in the host header.

      Header values which aggregate from multiple sources ( ie. Host, X-Forwarded-Host, Jetty org.eclipse.jetty.server.ForwardedRequestCustomizer.setHostHeader() ) should also be considered.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title