Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-22623

Nexus allows creation of repositories with ".." in their name, this breaks health check

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.19.1
    • Fix Version/s: None
    • Labels:
      None
    • Notability:
      3

      Description

      Nexus allows the creation of repositories that have ".." in their name.

      Once this is done, the user will see an exception in the UI every time the open up the repository administration page, because the ".." is triggering directory traversal protection code.

       The following exception is seen in the logs:

      2020-01-24 16:11:55,169-0600 ERROR [qtp385249052-195] admin org.sonatype.nexus.extdirect.internal.ExtDirectExceptionHandler - Failed to invoke action method: healthcheck_Status.read, java-method: com.sonatype.nexus.plugins.healthcheck.ui.HealthCheckStatusComponent.read
      java.lang.IllegalArgumentException: Traversal not allowed with direct blobs
      at com.google.common.base.Preconditions.checkArgument(Preconditions.java:135)
      at org.sonatype.nexus.blobstore.DirectPathLocationStrategy.location(DirectPathLocationStrategy.java:37)
      at org.sonatype.nexus.blobstore.DefaultBlobIdLocationResolver.getLocation(DefaultBlobIdLocationResolver.java:65)
      at org.sonatype.nexus.blobstore.file.FileBlobStore.attributePath(FileBlobStore.java:260)
      at org.sonatype.nexus.blobstore.file.FileBlobStore.exists(FileBlobStore.java:640)
      at com.sonatype.nexus.plugins.healthcheck.service.impl.WebServerServiceImpl.getContentItemBlob(WebServerServiceImpl.java:196)
      at com.sonatype.nexus.plugins.healthcheck.service.impl.WebServerServiceImpl.getContentItem(WebServerServiceImpl.java:135)
      at com.sonatype.nexus.plugins.healthcheck.service.impl.WebServerServiceImpl.bundleExists(WebServerServiceImpl.java:148)
      at com.sonatype.nexus.plugins.healthcheck.service.WebServerService$bundleExists.call(Unknown Source)
      at com.sonatype.nexus.plugins.healthcheck.ui.HealthCheckStatusComponent.asRepositoryStatusXO(HealthCheckStatusComponent.groovy:181)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
      at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
      at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:352)
      at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034)
      at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.callCurrent(PogoMetaClassSite.java:68)
      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:177)
      at com.sonatype.nexus.plugins.healthcheck.ui.HealthCheckStatusComponent$_read_closure2.doCall(HealthCheckStatusComponent.groovy:89)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98)
      at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325)
      at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:264)
      at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034)
      at groovy.lang.Closure.call(Closure.java:418)
      at groovy.lang.Closure.call(Closure.java:434)
      at org.codehaus.groovy.runtime.DefaultGroovyMethods.collect(DefaultGroovyMethods.java:3287)
      at org.codehaus.groovy.runtime.DefaultGroovyMethods.collect(DefaultGroovyMethods.java:3257)

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            rseddon Rich Seddon
            Last Updated By:
            Rich Seddon Rich Seddon
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title