Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-8643

Describe masks some data when anoymous/logged out

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.0-m4
    • Fix Version/s: None
    • Component/s: Security, Support Tools
    • Labels:
      None
    • Environment:
      Chrome, FF MacOSX

      Description

      I noticed that when logged out of Nexus and hitting a valid describe URL (default directory or an uploaded file), that there's no response section is displayed.
      When hitting an invalid describe URL, the 404 response is displayed.
      When logged in all proper responses are displayed.

      Mentioned this to Michael Prescott and he seemed surprised by this. I can see why, from a security standpoint through not saying something, we're actually saying something (no results meaning there's valid data in this case).

      I mentioned checking vs NX2 and he lead me to believe it's innards are different enough not to check, so I'm just filing for discussion at triage.

      Examples:
      Valid= http://localhost:8081/repository/nuget-hosted/?describe
      Invalid= http://localhost:8081/repository/nuget-hosted/SONATYPE.TEST/1.0/giraffe/?describe

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jtom Joe Tom
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title