Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-27124

npm audit requests can trigger TarballLoadingException caused by org.apache.shiro.authz.AuthorizationException null

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.29.2
    • Fix Version/s: None
    • Component/s: NPM, npm-audit
    • Labels:
    • Notability:
      3

      Description

      Despite NEXUS-25936 being marked fixed in 3.29.1, a customer running 3.29.2 still experiences this error when audit requests are made to a group repository by the anonymous user:

      POST /repository/<npm-group-name>/-/npm/v1/security/audits/quick

      Logged nexus.log error:

      2021-03-24 04:54:07,806+0000 ERROR [qtp890273202-2067593]  *UNKNOWN org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler - java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException
      java.lang.RuntimeException: java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:115)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getAuditRepositoryComponents(NpmAuditFacet.java:313)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.getComponentsVulnerabilityFromRemoteServer(NpmAuditFacet.java:254)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.analyzeComponents(NpmAuditFacet.java:224)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditFacet.audit(NpmAuditFacet.java:163)
      	at org.sonatype.nexus.repository.npm.internal.NpmGroupAuditQuickHandler.handle(NpmGroupAuditQuickHandler.java:41)
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditErrorHandler.handle(NpmAuditErrorHandler.java:67)
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
      ...
      Caused by: java.util.concurrent.ExecutionException: org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException
      	at java.util.concurrent.FutureTask.report(FutureTask.java:122)
      	at java.util.concurrent.FutureTask.get(FutureTask.java:192)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:111)
      	... 107 common frames omitted
      Caused by: org.sonatype.nexus.repository.vulnerability.exceptions.TarballLoadingException: null
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet$TarballGroupHandler.getTarballHashsum(NpmAuditTarballFacet.java:213)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.download(NpmAuditTarballFacet.java:144)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet.lambda$2(NpmAuditTarballFacet.java:102)
      	at org.sonatype.nexus.thread.internal.MDCAwareCallable.call(MDCAwareCallable.java:41)
      	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
      	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	... 1 common frames omitted
      Caused by: org.apache.shiro.authz.AuthorizationException: null
      	at org.sonatype.nexus.repository.security.SecurityFacetSupport.ensurePermitted(SecurityFacetSupport.java:72)
      	at org.sonatype.nexus.repository.security.SecurityHandler.handle(SecurityHandler.java:47)
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
      	at com.sonatype.analytics.internal.handler.AnalyticsMeteringHandler.handle(AnalyticsMeteringHandler.java:69)
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
      	at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:58)
      	at org.sonatype.nexus.repository.view.Context.proceed(Context.java:88)
      	at org.sonatype.nexus.repository.view.Context.start(Context.java:179)
      	at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:65)
      	at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52)
      	at org.sonatype.nexus.repository.group.GroupHandler.getFirst(GroupHandler.java:139)
      	at org.sonatype.nexus.repository.group.GroupHandler.doGet(GroupHandler.java:116)
      	at org.sonatype.nexus.repository.npm.internal.NpmAuditTarballFacet$TarballGroupHandler.getTarballHashsum(NpmAuditTarballFacet.java:206)
      	... 9 common frames omitted
      
      

      Expected

      If the anonymous user is making a group repo request and has read and browse to the group, then a permission error should not be triggered.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Michael Oliverio Michael Oliverio
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:

                  tigCommentSecurity.panel-title