Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-33916

Allow quarantined components to return 403 responses from nuget group repositories instead of 404

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 3.38.1, 3.40.0, 3.40.1
    • Fix Version/s: None
    • Component/s: Firewall, NuGet, nuget-v3
    • Labels:
    • Notability:
      3

      Description

      When IQ Audit and Quarantine capability is enabled for a nuget-proxy repository ("nuget.org-proxy") which is a member of a nuget-group repo, then any attempt to access the vulnerable component via the nuget group repo results in a '404 The specified blob does not exist.' response from nexus side but when same asset is accessed directly via nuget-proxy repo then expected 403 response is returned with "REQUESTED ITEM IS QUARANTINED" message.

      Steps to Reproduce:

      1. Create a "nuget.org-proxy" repo with remote URL https://api.nuget.org/v3/index.json
      2. Create a nuget group repo "nuget-group" and add the above proxy repo as a member rep
      3. Enable "IQ Audit and Quarantine Capability" for "nuget.org-proxy" repo.
      4. Try to access a vulnerable component via "nuget-group" and "nuget.org-proxy" repo. Notice the response is 404 and 403

      Example:

      REPO_NAME="nuget-group"
      curl -LOv -u admin:admin123 "http://master.example.com:8081/repository/${REPO_NAME}/v3/content/log4net/2.0.5/log4net.2.0.5.nupkg" 
      
      ---- OUTPUT ----
      
      * TCP_NODELAY set
      * Connected to master.example.com (127.0.1.1) port 8081 (#0)
      * Server auth using Basic with user 'admin'
      > GET /repository/nuget-group/v3/content/log4net/2.0.5/log4net.2.0.5.nupkg HTTP/1.1
      > Host: master.example.com:8081
      > Authorization: Basic YWRtaW46YWRtaW4xMjM=
      > User-Agent: curl/7.68.0
      > Accept: */*
      > 
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 404 The specified blob does not exist.
      < Server: Nexus/3.40.1-01 (PRO)
      < X-Content-Type-Options: nosniff
      < Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
      < X-XSS-Protection: 1; mode=block
      < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0
      < Pragma: no-cache
      < Expires: 0
      < X-Frame-Options: DENY
      < Content-Type: text/html
      < Content-Length: 1875
      < 
      { [1875 bytes data]
      

      Access the same component via proxy repo.

      REPO_NAME="nuget.org-proxy"
      curl -LOv -u admin:admin123 "http://master.example.com:8081/repository/${REPO_NAME}/v3/content/log4net/2.0.5/log4net.2.0.5.nupkg"
      
      ---- OUTPUT ----
      
      * TCP_NODELAY set
      * Connected to master.example.com (127.0.1.1) port 8081 (#0)
      * Server auth using Basic with user 'admin'
      > GET /repository/nuget.org-proxy/v3/content/log4net/2.0.5/log4net.2.0.5.nupkg HTTP/1.1
      > Host: master.example.com:8081
      > Authorization: Basic YWRtaW46YWRtaW4xMjM=
      > User-Agent: curl/7.68.0
      > Accept: */*
      > 
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 403 -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> FOR DETAILS SEE ------>>> http://master.example.com:8070/ui/links/repositories/quarantinedComponent/OGZkNWMzMGVmOWVmNGY4ZWFkYmVlMmJjMmViYzZkNjY <<<------
      < Server: Nexus/3.40.1-01 (PRO)
      < X-Content-Type-Options: nosniff
      < Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
      < X-XSS-Protection: 1; mode=block
      < BYPASS_HTTP_ERRORS: true
      < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0
      < Pragma: no-cache
      < Expires: 0
      < X-Frame-Options: DENY
      < Content-Type: text/html
      < Content-Length: 2108
      < 
      { [2108 bytes data]
      100  2108  100  2108    0     0  72689      0 --:--:-- --:--:-- --:--:-- 72689
      * Connection #0 to host master.example.com left intact
      

      Expectation:

      • Similar to other repository formats like maven / npm the response to a vulnerable component via group repo should be served with 403 quarantine messages instead of 404.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jsensharma Jay Kumar SenSharma
              Last Updated By:
              Rich Seddon Rich Seddon
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  tigCommentSecurity.panel-title