Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-26340

importing non-conforming Maven artifacts may trigger NullPointerException in VersionPolicyValidator.validArtifactPath even if Layout Policy is Permissive

    XMLWordPrintable

    Details

    • Story Points:
      0.5
    • Sprint:
      NXRM MadMax Sprint 20
    • Notability:
      3

      Description

      Was importing from an old maven repository on disk which had some files not entirely conforming to Maven layout ( into a 3.29.2 instance ). Noticed some NullPointerExceptions

      oddly named maven-metadata
      2021-01-09 08:01:14,559-0400 ERROR [quartz-9-thread-2]  *SYSTEM com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService - Import of file /import-data/central-releases/org/apache/cxf/cxf-xml2fastinfoset-plugin/maven-metadata.xml.2 into repository central-hosted failed
java.lang.NullPointerException: null
	at org.sonatype.nexus.repository.maven.internal.VersionPolicyValidator.validArtifactPath(VersionPolicyValidator.java:33)
	at org.sonatype.nexus.repository.maven.MavenUploadHandlerSupport.validateVersionPolicy(MavenUploadHandlerSupport.java:253)
	at org.sonatype.nexus.repository.maven.MavenUploadHandlerSupport.handle(MavenUploadHandlerSupport.java:178)
	at org.sonatype.nexus.repository.upload.internal.UploadManagerImpl.handle(UploadManagerImpl.java:136)
	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.lambda$1(OrientRepositoryImportService.java:166)
	at org.sonatype.nexus.transaction.OperationPoint.lambda$0(OperationPoint.java:53)
	at org.sonatype.nexus.transaction.OperationPoint.proceed(OperationPoint.java:64)
	at org.sonatype.nexus.transaction.TransactionalWrapper.proceedWithTransaction(TransactionalWrapper.java:57)
	at org.sonatype.nexus.transaction.Operations.proceedWithTransaction(Operations.java:232)
	at org.sonatype.nexus.transaction.Operations.transactional(Operations.java:223)
	at org.sonatype.nexus.transaction.Operations.run(Operations.java:175)
	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.lambda$0(OrientRepositoryImportService.java:162)
	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource$RepositoryImportFileVisitor.visitFile(RepositoryImportSource.java:83)
	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource$RepositoryImportFileVisitor.visitFile(RepositoryImportSource.java:1)
	at java.nio.file.Files.walkFileTree(Files.java:2670)
	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource.walk(RepositoryImportSource.java:45)
	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.walkImportDirectory(OrientRepositoryImportService.java:140)
	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.doImport(OrientRepositoryImportService.java:125)
	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportTask.execute(RepositoryImportTask.java:64)
	at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:79)
	at org.sonatype.nexus.scheduling.TaskSupport.call(TaskSupport.java:100)
	at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.doExecute(QuartzTaskJob.java:143)
	at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.execute(QuartzTaskJob.java:106)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
	at org.sonatype.nexus.quartz.internal.QuartzThreadPool.lambda$0(QuartzThreadPool.java:145)
	at org.sonatype.nexus.thread.internal.MDCAwareRunnable.run(MDCAwareRunnable.java:40)
	at org.apache.shiro.subject.support.SubjectRunnable.doRun(SubjectRunnable.java:120)
	at org.apache.shiro.subject.support.SubjectRunnable.run(SubjectRunnable.java:108)

      Another Example:

      difference in artifactId compared with path
      2021-01-09 08:21:06,731-0400 ERROR [quartz-9-thread-2]  *SYSTEM com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService - Import of file /import-data/central-releases/com/rabbitmq/rabbitmq-java-client/1.3.0/rabbitmq-client-javadoc-1.3.0.jar into repository central-hosted failed
java.lang.NullPointerException: null
	at org.sonatype.nexus.repository.maven.internal.VersionPolicyValidator.validArtifactPath(VersionPolicyValidator.java:33)
	at org.sonatype.nexus.repository.maven.MavenUploadHandlerSupport.validateVersionPolicy(MavenUploadHandlerSupport.java:253)
	at org.sonatype.nexus.repository.maven.MavenUploadHandlerSupport.handle(MavenUploadHandlerSupport.java:178)
	at org.sonatype.nexus.repository.upload.internal.UploadManagerImpl.handle(UploadManagerImpl.java:136)
	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.lambda$1(OrientRepositoryImportService.java:166)
	at org.sonatype.nexus.transaction.OperationPoint.lambda$0(OperationPoint.java:53)
	at org.sonatype.nexus.transaction.OperationPoint.proceed(OperationPoint.java:64)
	at org.sonatype.nexus.transaction.TransactionalWrapper.proceedWithTransaction(TransactionalWrapper.java:57)
	at org.sonatype.nexus.transaction.Operations.proceedWithTransaction(Operations.java:232)
	at org.sonatype.nexus.transaction.Operations.transactional(Operations.java:223)
	at org.sonatype.nexus.transaction.Operations.run(Operations.java:175)
	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.lambda$0(OrientRepositoryImportService.java:162)
	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource$RepositoryImportFileVisitor.visitFile(RepositoryImportSource.java:83)
	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource$RepositoryImportFileVisitor.visitFile(RepositoryImportSource.java:1)
	at java.nio.file.Files.walkFileTree(Files.java:2670)
	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportSource.walk(RepositoryImportSource.java:45)
	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.walkImportDirectory(OrientRepositoryImportService.java:140)
	at com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService.doImport(OrientRepositoryImportService.java:125)
	at com.sonatype.nexus.exportimport.internal.importtask.RepositoryImportTask.execute(RepositoryImportTask.java:64)
	at org.sonatype.nexus.repository.RepositoryTaskSupport.execute(RepositoryTaskSupport.java:79)

      Another variation:

      Difference in letter case
      2021-01-08 18:37:00,337-0400 ERROR [quartz-9-thread-2]  *SYSTEM com.sonatype.nexus.exportimport.orient.internal.importtask.OrientRepositoryImportService - Import of file /import-data/central-releases/org/codehaus/httpcache4j/clients/clients-httpClient/1.0-RC2/clients-httpclient-1.0-RC2.pom into repository central-hosted failed
java.lang.NullPointerException: null

      The cause is MavenPath.getCoordinates() is returning null, and null is passed into VersionPolicyValidator.validArtifactPath where coordinates are accessed.

      Expected

      1. If layout policy is strict, avoid the NPE and instead log without stack trace that the path value is not conforming and therefore was ignored by import.
      2. If Layout Policy is permissive, then consider if the path should be allowed to be imported - ie. Does direct HTTP PUT of the path work when layout is permissive? Is there some special rule that is different for import? If so, document it, or provide a different setting for import to allow non-conforming paths.

        Attachments

          Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. NEXUS-25600 Repository Import Ignores Validation

          • Major - Major loss of function.
          • Closed
          relates

          Bug - A problem which impairs or prevents the functions of the product. NEXUS-26844 NPE when export/importing from maven repository

          • Major - Major loss of function.
          • New
          mentioned in

          Page Loading...

            Activity

              People

              Assignee:
              mlukaretkyi Maksym Lukaretkyi
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Joe Tom Joe Tom
              Team:
              NXRM - Mad Max
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title