Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-14442

NuGet repositories allow users without delete permissions to overwrite certain packages

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 5.3.2, 5.4.4
    • Fix Version/s: 5.6.0
    • Component/s: NuGet
    • Labels:
      None
    • Sprint:
      Leap 19, Leap 23

      Description

      NuGet repositories allow users without delete permissions to overwrite certain packages.

      To reproduce:
      1. Create a local NuGet repository
      2. Create a user and give him deploy/annotate/read permissions to the NuGet repository (no delete / override permissions).
      3. Upload a nuget package that has '-' in the file name.
      For example

      curl -utester:tester -XPUT "http://localhost:8081/artifactory/nuget-local/using-Dahes.1.0.0.nupkg" -T example.1.0.0.nupkg
      

      4. Repeat step #3
      5. Notice that the original package has now been updated

      If it s a pre-release package , then you should be able to override existing package even without delete permissions.
      The problems is with the check Artifactory is conducting if the uploaded package is a pre-release or not.

      See here for pre-release convention for Nuget (such as 1.0.0-RC)
      https://docs.microsoft.com/en-us/nuget/create-packages/prerelease-packages

      Artifactory checks if there is any '-' in the file name (this is why the package above is overriden) where it should check for dashes only on the baseRevision (which represent the version)

      This will work as expected

      curl -utester:tester -XPUT "http://localhost:8081/artifactory/nuget-local/using.Dots.1.0.0.nupkg" -T example.1.0.0.nupkg
      

      {
      "errors" : [

      { "status" : 403, "message" : "Not enough permissions to overwrite artifact 'nuget-local:using-Dots.1.0.0.nupkg' (user 'tester' needs DELETE permission)." }

      ]
      }

      
      

        Attachments

          Activity

            People

            • Assignee:
              aviz Avi Zaig (Inactive)
              Reporter:
              arturoa Arturo Aparicio
              Assigned QA:
              Anastasiya Muntyan
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: