[NEXUS-23284] PyPI JSON API not rewriting download URL - Sonatype JIRA

XML

Word

Printable

Details

Type: Improvement
Status: New
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.21.1
Fix Version/s: None
Component/s: PyPI
Labels:
None

Description

With all versions of Nexus, upto and including 3.21.2-03, a proxied PyPI repository does not rewrite the download URLs of the PyPI JSON API.

A simple case to reproduce:

Start the latest nexus with docker:

docker run -d -p 8081:8081 --name nexus sonatype/nexus3

Configure a PyPi proxy (to https://pypi.org) called "pypi-proxy"
Fetch metadata about a package such as pip:

$ curl http://127.0.0.1:8081/repository/pypi-proxy/pypi/pip/json 
...
4:50:44.419813Z","url":"https://files.pythonhosted.org/packages/54/0c/d01aa759fdc501a58f431eb594a17495f15b88da142ce14b5845662c13f3/pip-20.0.2-py2.py3-none-any.whl"},{"comment_text":"","digests":{"md5":"7d42ba49b809604f0df3d55df1c3fd86","sha256":"7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f"},"downloads":-1,"filename":"pip-20.0.2.tar.gz","has_sig":false,"md5_digest":"7d42ba49b809604f0df3d55df1c3fd86","packagetype":"sdist","python_version":"source","requires_python":">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*","size":1433827,"upload_time":"2020-01-24T14:50:47","upload_time_iso_8601":"2020-01-24T14:50:47.350895Z","url":"https://files.pythonhosted.org/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f/pip-20.0.2.tar.gz"}]}

Notice that the URL of the download is not using the proxy, but points out to files.pythonhosted.org.

Whilst I appreciate that the URL reaches outside of the https://pypi.org domain, it is still important that the proxy should handle this. The equivalent "simple" view does indeed do so:

$ curl http://127.0.0.1:8081/repository/pypi-proxy/simple/pip 
...
        <a href="../../files.pythonhosted.org/https/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f/pip-20.0.2.tar.gz#sha256=7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" rel="internal"       data-requires-python="&gt;=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*" >pip-20.0.2.tar.gz</a><br/>
    </body>
</html>

Compared to:

$ curl https://pypi.org/simple/pip/
    <a href="https://files.pythonhosted.org/packages/8e/76/66066b7bc71817238924c7e4b448abdb17eb0c92d645769c223f9ace478f/pip-20.0.2.tar.gz#sha256=7db0c8ea4c7ea51c8049640e8e6e7fde949de672bfa4949920675563a5a6967f" data-requires-python="&gt;=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*">pip-20.0.2.tar.gz</a><br/>
    </body>
</html>

When implementing this, be aware that PyPi appears to have a redirect in-place for https://pypi.org/pypi/pip/json/ -> https://pypi.org/pypi/pip/json whereas this resource is not available in Nexus (in some regards this is an entirely separate issue, but I wanted to raise it here as it may affect the relative URLs that get re-written).

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Phil

Last Updated By:: Luiz Carvalho

Votes:: 2 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 03/25/20 07:29 AM

Updated:: 09/15/20 07:15 PM

Date of First Response:: 25/Mar/20 2:08 PM