Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-28420

Component DELETE API requires "browse" permission

    XMLWordPrintable

    Details

    • Notability:
      3

      Description

      SYMPTOM:

      Deleting a component with the component ID returns 404 with Content Selector, otherwise 403, if no "browse" privilege.

      $ curl -i -u testuser:testuser -X DELETE "${_NEXUS_URL%/}/service/rest/v1/components/${_COMP_ID}"
HTTP/1.1 404 Not Found
Date: Tue, 20 Jul 2021 07:18:18 GMT
Strict-Transport-Security: max-age=7776000
Server: Nexus/3.31.1-01 (PRO)
X-Content-Type-Options: nosniff
X-Siesta-FaultId: 1c1f8752-9697-4972-8a77-e683db4b6c16
Content-Length: 0

      REPRODUCE STEPS:

      1. Create raw-hosted repository
      2. Upload some test file: 
        curl -u "admin:admin123" -T <(echo 'to be deleted') "http://localhost:8081/repository/raw-hosted/test/delete.txt"
      3. Create testuser with test role which has the nx-repository-view---add|read|edit|delete (no browse)
      4. Search above component to find the component ID 
        curl -u admin:admin123 "http://localhost:8081/service/rest/v1/search?repository=raw-hosted&name=test/delete.txt"
      5. Delete this component with the testuser, and get 403: 
        $ curl -i -u testuser:testuser -X DELETE "http://localhost:8081/service/rest/v1/components/cmF3LWhvc3RlZDo5ODU4MWI5ZTE1YzNkZmE1NGU1ZWMxOWI5YTFmMmQwMQ"
HTTP/1.1 403 Forbidden
Date: Tue, 20 Jul 2021 07:32:46 GMT
Server: Nexus/3.31.1-01 (PRO)
X-Content-Type-Options: nosniff
X-Siesta-FaultId: 33043899-4c33-4ab8-8a48-78d84b642ef8
Content-Length: 0
      6. Add nx-repository-view---browse into the test role, and run above curl again.

      EXPECTED BEHAVIOUR:

      As this test user is not browsing/reading but just deleting, the first "curl -X DELETE" should work.

      ACTUAL BEHAVIOUR:

      The first "curl -X DELETE" returns 403 (forbidden) and 2nd one returns 204, and the component was deleted.

      POTENTIAL CAUSE:

      The org.sonatype.nexus.repository.browse.internal.BrowseServiceImpl#getById method generates the SQL statement which uses ContentAuth OSQLFunction, and inside of this function, org.sonatype.nexus.repository.selector.internal.OrientContentAuthHelper#checkPathPermissions is used, and this function checks "BROWSE".

      NOTE: If my observation is right, when "docker" repository is used, setting a correct Content Selector might be difficult, because in above function, it is probably checking the image name (not the path).
      So, when the CSEL contains the expression "path =^ '/v2/deletetest/" and when the "deletetest/alpine:3.7" image is going to be deleted, it seems Nexus is checking if "deletetest/alpine" starts with "/v2/deletetest".

        Attachments

          Issue Links

          relates

          Bug - A problem which impairs or prevents the functions of the product. NEXUS-31100 REST API operations using content selector privileges match against docker image name instead of access path

          • Major - Major loss of function.
          • Closed

            Activity

              People

              Assignee:
              sdelvalle Santiago Del Valle
              Reporter:
              hosako Hajime Osako
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title