Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24870

PyPI: inhibit search/merge to proxy repo if the package is found on the hosted repo

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Do
    • Affects Version/s: 3.0.0
    • Fix Version/s: None
    • Component/s: PyPI
    • Labels:
      None

      Description

      Hello,

      It would make sense for group repositories to have a lookup "policy" that works as follow: if the package is found on a hosted repo (or on the first repo in the order of the group's member repositories) don't look it up on the proxy repository (or in the other member repositories).

      More in general, when building the index for the group repositories, don't merge other repositories if the request can already be satisfied with a single repository.

      As an example suppose the following:

      • An hosted internal repository with package `example==1.0.0`
      • A proxy repository to an external repository (for example the PyPI) which has`example==99.0.0`
      • A group repository with hosted+proxy (example==1.0.0, example==99.0.0.)

      Right now doing `pip install example --index-url=group-repository` will result in the external (and not in our control) `example==99.0.0`. For our use case, it would make sense to favor the internal repository package which would produce `example==1.0.0`.

      The current behavior of providing whatever results from the merge of all the repositories, could lead to potential security issues, a malicious actor could publish a package on the public PyPI with the same name (and potentially same version/grater version) of a package that we have on our internal repository, causing developers (and potentially build scripts) to pull unwanted and dangerous packages.

      DevPI (https://devpi.net/docs/devpi/devpi/stable/%2Bd/index.html) allows this kind of behavior "All privately uploaded packages will by default inhibit lookups from pypi, allowing to stay safe from an attacker who could otherwise upload malicious release files to the public PyPI index".

      We could blocklist the lookup of internal packages to the "proxy" repo using the routing rules, but that would mean either prefixing all our packages with a common prefix (i.e. "companyname.<package>") or knowing the name of all the packages we want to block the lookup for. Both of these solutions are not really feasible for our use case.

      I am not sure if this feature could be useful with other repository types so that' why I have marked it as "pypi" only. Feel free to change it.

      Thanks for the help!

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            cbaldi Cristian Baldi
            Last Updated By:
            Jacob Henner Jacob Henner
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title