Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
3.38.1, 3.40.0, 3.40.1
-
3
-
3
Description
When IQ Audit and Quarantine capability is enabled for a nuget-proxy repository ("nuget.org-proxy") which is a member of a nuget-group repo, then any attempt to access the vulnerable component via the nuget group repo results in a '404 The specified blob does not exist.' response from nexus side but when same asset is accessed directly via nuget-proxy repo then expected 403 response is returned with "REQUESTED ITEM IS QUARANTINED" message.
Steps to Reproduce:
- Create a "nuget.org-proxy" repo with remote URL https://api.nuget.org/v3/index.json
- Create a nuget group repo "nuget-group" and add the above proxy repo as a member rep
- Enable "IQ Audit and Quarantine Capability" for "nuget.org-proxy" repo.
- Try to access a vulnerable component via "nuget-group" and "nuget.org-proxy" repo. Notice the response is 404 and 403
Example:
REPO_NAME="nuget-group" curl -LOv -u admin:admin123 "http://master.example.com:8081/repository/${REPO_NAME}/v3/content/log4net/2.0.5/log4net.2.0.5.nupkg" ---- OUTPUT ---- * TCP_NODELAY set * Connected to master.example.com (127.0.1.1) port 8081 (#0) * Server auth using Basic with user 'admin' > GET /repository/nuget-group/v3/content/log4net/2.0.5/log4net.2.0.5.nupkg HTTP/1.1 > Host: master.example.com:8081 > Authorization: Basic YWRtaW46YWRtaW4xMjM= > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 404 The specified blob does not exist. < Server: Nexus/3.40.1-01 (PRO) < X-Content-Type-Options: nosniff < Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation < X-XSS-Protection: 1; mode=block < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < Expires: 0 < X-Frame-Options: DENY < Content-Type: text/html < Content-Length: 1875 < { [1875 bytes data]
Access the same component via proxy repo.
REPO_NAME="nuget.org-proxy" curl -LOv -u admin:admin123 "http://master.example.com:8081/repository/${REPO_NAME}/v3/content/log4net/2.0.5/log4net.2.0.5.nupkg" ---- OUTPUT ---- * TCP_NODELAY set * Connected to master.example.com (127.0.1.1) port 8081 (#0) * Server auth using Basic with user 'admin' > GET /repository/nuget.org-proxy/v3/content/log4net/2.0.5/log4net.2.0.5.nupkg HTTP/1.1 > Host: master.example.com:8081 > Authorization: Basic YWRtaW46YWRtaW4xMjM= > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 403 -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> FOR DETAILS SEE ------>>> http://master.example.com:8070/ui/links/repositories/quarantinedComponent/OGZkNWMzMGVmOWVmNGY4ZWFkYmVlMmJjMmViYzZkNjY <<<------ < Server: Nexus/3.40.1-01 (PRO) < X-Content-Type-Options: nosniff < Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation < X-XSS-Protection: 1; mode=block < BYPASS_HTTP_ERRORS: true < Cache-Control: no-cache, no-store, max-age=0, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < Expires: 0 < X-Frame-Options: DENY < Content-Type: text/html < Content-Length: 2108 < { [2108 bytes data] 100 2108 100 2108 0 0 72689 0 --:--:-- --:--:-- --:--:-- 72689 * Connection #0 to host master.example.com left intact
Expectation:
- Similar to other repository formats like maven / npm the response to a vulnerable component via group repo should be served with 403 quarantine messages instead of 404.
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- is related to
-
-
- Closed
-