Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-35220

Race condition in npm audit can cause an npm group repository to enter invalid state

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.41.1
    • Fix Version/s: None
    • Component/s: Audit, NPM
    • Labels:
    • Story Points:
      1
    • Sprint:
      NXRM Sentinels Sprint 44, NXRM Sentinels Sprint 43
    • Notability:
      2
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      It looks like npm audit requests will create in memory npm group repositories.

      .. - - [12/Sep/2022:21:15:12 +0000] "POST /repository/npmgroup/-/npm/v1/security/advisories/bulk HTTP/1.1" 400 7413 1884 36 "npm/8.19.1 node/v18.9.0 darwin x64 workspaces/false" [qtp552217792-66084]

      ... - - [12/Sep/2022:21:15:13 +0000] "POST /repository/npmgroup/-/npm/v1/security/audits/quick HTTP/1.1" 500 111204 253 270 "npm/8.19.1 node/v18.9.0 darwin x64 workspaces/false" [qtp552217792-65981]

      And in the nexus.log we see:

      2022-09-12 21:15:12,430+0000 INFO [qtp552217792-66084] *UNKNOWN org.sonatype.nexus.repository.manager.internal.RepositoryManagerImpl - Creating repository in memory: npm-group -> ConfigurationData{repositoryName='npm-group', recipeName='npm-group', attributes={group=

      Unknown macro: {memberNames=[npm-hosted, npmjs.org-proxy-auditmode], groupWriteMember=npm-hosted}

      , storage=

      Unknown macro: {blobStoreName=default, dataStoreName=nexus, strictContentTypeValidation=true}

      }}

      2022-09-12 21:15:13,166+0000 INFO [qtp552217792-65981] *UNKNOWN org.sonatype.nexus.repository.manager.internal.RepositoryManagerImpl - Creating repository in memory: npm-group -> ConfigurationData{repositoryName='npm-group', recipeName='npm-group', attributes={group=

      , storage=

      Unknown macro: {blobStoreName=default, dataStoreName=nexus, strictContentTypeValidation=true}

      }}

      And further, it looks like those two simultaneous npm group repository creation requests can cause the repository to enter an invalid state:

      2022-09-12 21:16:50,752+0000 WARN [qtp552217792-65941] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Failure servicing: GET /repository/npm-group/ciam-models
      org.sonatype.nexus.common.stateguard.InvalidStateException: Invalid state: INITIALISED; allowed: [STARTED]
      at org.sonatype.nexus.common.stateguard.StateGuard._ensure(StateGuard.java:115)
      at org.sonatype.nexus.common.stateguard.StateGuard.access$1(StateGuard.java:108)
      at org.sonatype.nexus.common.stateguard.StateGuard$GuardImpl.run(StateGuard.java:271)
      at org.sonatype.nexus.common.stateguard.GuardedInterceptor.invoke(GuardedInterceptor.java:54)
      at com.sonatype.nexus.repository.content.npm.internal.NpmGroupDataFacet.members(NpmGroupDataFacet.java:404)
      at com.sonatype.nexus.repository.content.npm.internal.NpmGroupDataFacet$members$1.call(Unknown Source)
      at com.sonatype.nexus.repository.content.npm.internal.NpmGroupHandler.getResponses(NpmGroupHandler.groovy:27)
      at sun.reflect.GeneratedMethodAccessor433.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)

      Expected: An npm audit request should not be able to break a group repository. We need to fix this race condition.

      Workaround: It is necessary to restart Nexus Repo when this bug occurs.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Olu Shiyanbade Olu Shiyanbade
              Team:
              NXRM - Sentinels
              Owner:
              Olu Shiyanbade Olu Shiyanbade
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title