Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25163

inbound pypi repository index requests serve pages from URLs which do not end with slash creating invalid relative links

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.18.1, 3.26.1
    • Fix Version/s: None
    • Component/s: HTML View, PyPI
    • Labels:
    • Notability:
      3

      Description

      Create a proxy repo named pypi-org to remote https://pypi.org.

      Open this web page in a web browser:

      http://localhost:8081/repository/pypi-org/simple/paramiko

      Examine the relative links in the page, they are of this form:

      <a href="../../packages/cf/a1/20d00ce559a692911f11cadb7f94737aca3ede1c51de16e002c7d3a888e0/paramiko-2.7.2.tar.gz#sha256=7f36f4ba2c0d81d219f4595e35f70d56cc94f9ac40a6acdf51d6ca210ce65035" rel="internal">paramiko-2.7.2.tar.gz</a><br/>

      This means every link you click on ends up at an invalid path 404 not found that does not exist:

      http://localhost:8081/repository/packages/cf/a1/20d00ce559a692911f11cadb7f94737aca3ede1c51de16e002c7d3a888e0/paramiko-2.7.2.tar.gz#sha256=7f36f4ba2c0d81d219f4595e35f70d56cc94f9ac40a6acdf51d6ca210ce65035

      The official repository instead does a 301 redirect to a page with ending slash if an ending slash is not present in the original request:

      curl -I https://pypi.org/simple/paramiko
      HTTP/1.1 301 Moved Permanently
      Connection: keep-alive
      Content-Length: 214
      Content-Security-Policy: default-src 'none'; sandbox allow-top-navigation
      Content-Type: text/html; charset=UTF-8
      Location: https://pypi.org/simple/paramiko/
      Referrer-Policy: origin-when-cross-origin
      Server: nginx/1.13.9
      Accept-Ranges: bytes
      Date: Wed, 02 Sep 2020 16:28:56 GMT
      X-Served-By: cache-bwi5130-BWI, cache-cmh21523-CMH
      X-Cache: MISS, MISS
      X-Cache-Hits: 0, 0
      X-Timer: S1599064137.556042,VS0,VE35
      Vary: Accept-Encoding
      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
      X-Frame-Options: deny
      X-XSS-Protection: 1; mode=block
      X-Content-Type-Options: nosniff
      X-Permitted-Cross-Domain-Policies: none
      

      Expected

      Do what the official registry does when an ending slash is missing and redirect to a page where the rendered relative links will actually work.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Wes Wannemacher Wes Wannemacher
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title