Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-23284

PyPI JSON API not rewriting download URL

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.21.1
    • Fix Version/s: None
    • Component/s: PyPI
    • Labels:
      None

      Description

      With all versions of Nexus, upto and including 3.21.2-03, a proxied PyPI repository does not rewrite the download URLs of the PyPI JSON API.

       

      A simple case to reproduce:

      1. Start the latest nexus with docker:
      docker run -d -p 8081:8081 --name nexus sonatype/nexus3 
      1. Configure a PyPi proxy (to https://pypi.org) called "pypi-proxy"
      2. Fetch metadata about a package such as pip:
      $ curl http://127.0.0.1:8081/repository/pypi-proxy/pypi/pip/json 
      ...
      4:50:44.419813Z","url":"https://files.pythonhosted.org/packages/54/0c/d01aa759fdc501a58f431eb594a17495f15b88da142ce14b5845662c13f3/pip-20.0.2-py2.py3-none-any.whl"},{"comment_text":"","digests":{"md5":"7d42ba49b809604f0df3d55df1c3fd86","sha256":"7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f"},"downloads":-1,"filename":"pip-20.0.2.tar.gz","has_sig":false,"md5_digest":"7d42ba49b809604f0df3d55df1c3fd86","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1433827,"upload_time":"2020-01-24T14:50:47","upload_time_iso_8601":"2020-01-24T14:50:47.350895Z","url":"https://files.pythonhosted.org/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f/pip-20.0.2.tar.gz"}]}
      1. Notice that the URL of the download is not using the proxy, but points out to files.pythonhosted.org.

       

      Whilst I appreciate that the URL reaches outside of the https://pypi.org domain, it is still important that the proxy should handle this. The equivalent "simple" view does indeed do so:

       

      $ curl http://127.0.0.1:8081/repository/pypi-proxy/simple/pip 
      ...
              <a href="../../files.pythonhosted.org/https/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f/pip-20.0.2.tar.gz#sha256=7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" rel="internal"       data-requires-python="&gt;=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*" >pip-20.0.2.tar.gz</a><br/>
          </body>
      </html>

       

      Compared to:

      $ curl https://pypi.org/simple/pip/
          <a href="https://files.pythonhosted.org/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f/pip-20.0.2.tar.gz#sha256=7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" data-requires-python="&gt;=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*">pip-20.0.2.tar.gz</a><br/>
          </body>
      </html> 

          

      When implementing this, be aware that PyPi appears to have a redirect in-place for https://pypi.org/pypi/pip/json/ -> https://pypi.org/pypi/pip/json whereas this resource is not available in Nexus (in some regards this is an entirely separate issue, but I wanted to raise it here as it may affect the relative URLs that get re-written).

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            Elson Phil
            Last Updated By:
            Luiz Carvalho Luiz Carvalho
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title