Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-29192

Better means for preventing information leakage of internal artifact names?


    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security
    • Labels:


      Information leakage is a known problem with nexus and other repository-proxies: the queries of company or other secure domain artifacts get easily proxied to external repositories, which may reveal secrets:


      Could there be any better means to prevent this information leakage than the "Routing rules" or other sorts of manually configured filtering rules? The problem with "Routing rules" are: it requires manual configuration, it requires naming policy and it requires that users know and remember to follow the naming policy.


      For example:

      A sort of "Download Remote Indexes"-feature (which was dropped in Nexus3) could make it possible to not let any of the artifact-queries leave the secure domain and hit the external repositories - the artifacts could be queried against the local index only. Secondly, there could be an option that any artifacts found in the hosted(internal) repositories would never be requested from any external repositories. Together these two features could make a pretty easily configurable secure setup with no policy following required by the users. The first one would prevent alll direct artifact queries (including any typo-containing, or non-released, or snapshot ) against the external repositories, but would still leave a supply chain attack by someone uploading an evil artifact with a known internal artifact name. The second feature would prevent that supply chain attack, by serving the internal artifacts(releases/snapshots) only from the internal hosted repository.


      Would that example seem viable to implement? Or would there be any better ideas to have a more secure by default configuration, that would not require manual filters/rules and setting&following naming policies?


          Issue Links



              Unassigned Unassigned
              karniemi Kari J. Niemi
              Last Updated By:
              Michael Prescott Michael Prescott
              0 Vote for this issue
              1 Start watching this issue


                Date of First Response: