Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-34591

protect against accidental staging moves of entire repositories

    Details

    • Type: Improvement
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.40.1
    • Fix Version/s: None
    • Component/s: Staging
    • Labels:
    • Notability:
      3

      Description

      A customer used curl to trigger a staging move operation using this from the command line:

      curl -v -u token:token -L -X POST https://nexus.example.com/service/rest/v1/staging/move/maven-dev-hosted?repository=maven-releases-hosted&group=com.example&name=fake-example-rev4&version=5.5Rev4
      

      Their intent was to be very specific about what they moved to be a specific group and artifact id and component version.

      Instead because the URL fed into curl was not quoted, the query parameters after the first & were ignored and this resulted in EVERY COMPONENT IN THE ENTIRE SOURCE REPO to be MOVED into the target repo.

      This resulted in major production impacts and weeks of recovery.

      Expected

      Change the staging move API to better protect against accidental moves of entire repos.

      Ideas for ways to design a better API

      a) When a staging move operation is executed that asks to move every component in an entire repo, then also require an additional query parameter to be set that confirms the requestor is acknowledging this is what they want - ie. force=true,

      b) Prevent and fail any staging move request that tries to move an entire repo for existing api - instead add a completely different API to be called that is for moving the contents of an entire repo

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Michael Oliverio Michael Oliverio
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                tigCommentSecurity.panel-title