Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31354

inbound Maven HEAD request to a bare directory path causes the remote HTML page to be stored as an asset

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.37.3
    • Fix Version/s: None
    • Component/s: Maven
    • Labels:
    • Notability:
      2

      Description

      Reproduce

      1. Create a proxy repository to Maven Central: https://repo1.maven.org/maven2/
      2. Make an inbound request to a directory path using a HEAD request.

      curl -v -I -u admin:admin123 http://localhost:8081/repository/maven-central/ -o /dev/null
      

      3. Observe that Repo 3 ONLY sends an outbound GET request.
      4. Observe that Repo 3 stores an asset with empty asset name that is the HTML of the remote site at the URL https://repo1.maven.org/maven2/

      {"timestamp":"2022-03-01 10:33:47,151-0400","nodeId":"380163D9-74DF8E4A-E3F06D7C-D29036BA-4CEF163C","initiator":"admin/127.0.0.1","domain":"repository.asset","type":"created","context":"","thread":"qtp473773722-127","attributes":{"repository.name":"maven-central","format":"maven2","name":""}}
      

      The same issue can be replicated when requesting child paths:

      {"timestamp":"2022-03-01 10:41:59,145-0400","nodeId":"380163D9-74DF8E4A-E3F06D7C-D29036BA-4CEF163C","initiator":"admin/127.0.0.1","domain":"repository.asset","type":"created","context":"abbot/","thread":"qtp473773722-129","attributes":{"repository.name":"maven-central","format":"maven2","name":"abbot/"}}
      

      Impacts and Side Effects

      Upstream Nexus Repository

      Upstream Nexus Repository instances will send HEAD requests to a remote site to check if the repo is on-line ( status check). If such a HEAD request arrives, this triggers the bug - example inbound user agent making this request:

      127.0.0.1 - - [28/Feb/2022:11:21:13 +0100] "HEAD /repository/central.maven.org/ HTTP/1.1" 200 - 0 4 "Nexus/2.12.1-01 (OSS; Linux; 3.10.0-1062.4.3.el7.x86_64; amd64; 1.8.0_74) apacheHttpClient4x/2.12.1-01" [qtp369112687-2830]‚Äč
      
      IQ Server / Nexus Lifecycle Repository Audit

      Another side effect of this behaviour is that it stores an asset with a name that is EMPTY "" inside the asset table. IQ Server Repository Audit feature is not expecting to receive an asset with a completely empty pathname (CLM-20848) and this breaks the bulk auditing feature of IQ Server.

      Expected

      • inbound requests for directory paths ( canonical URL ending with slash ) for Maven proxy repos should not cache as an asset the GET response payload from the remote site.
      • do not allow to store any Maven asset using an empty name - there is no known valid reason for this
      • an inbound HEAD request to a Maven repo only should send an equivalent outbound HEAD request to the remote, and not send a GET request.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:

                  tigCommentSecurity.panel-title