Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-23049

Prevent internal package squatting on Public registries

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: 2 - Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      After emailing support I was told to raise a feature request here.

      I've recently been made aware of a problem where it's possible for an attacker to make a new version of an internal artifact on a public registry, which users or CI systems could download when looking for the latest version.
       
      I am vulnerable to this because I use virtual repositories which have a local repository for internal artifacts, and a remote repository for public artifacts. Previously I interpreted the docs at https://www.jfrog.com/confluence/display/JFROG/Virtual+Repositories to mean that local repositories were always preferred. I now understand that remote repositories can be used to get a new version of an artifact which is in a local repository. I see the section in the docs about using Excludes Patterns to make sure internal artifacts aren't fetched from remotes, but this would require constantly updating the patterns with new internal artifacts.
       
      Can I ask for a feature where if any version of an artifact exists in a local repository in a virtual repository, the remote repositories in the virtual repository are not used to find new versions. It could be a checkbox when configuring a virtual repository. This would prevent the entire class of vulnerability without further configuration, and would work in a way which is easy to explain to end users.

      Thank you.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              nadavy Nadav Yogev
              Reporter:
              fergal Fergal Hainey
              Votes:
              15 Vote for this issue
              Watchers:
              18 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-23049 -
                  SYNCHRONIZED
                  • Last Sync Date: