-
Type:
New Feature
-
Status: Closed
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
After emailing support I was told to raise a feature request here.
I've recently been made aware of a problem where it's possible for an attacker to make a new version of an internal artifact on a public registry, which users or CI systems could download when looking for the latest version.
I am vulnerable to this because I use virtual repositories which have a local repository for internal artifacts, and a remote repository for public artifacts. Previously I interpreted the docs at https://www.jfrog.com/confluence/display/JFROG/Virtual+Repositories to mean that local repositories were always preferred. I now understand that remote repositories can be used to get a new version of an artifact which is in a local repository. I see the section in the docs about using Excludes Patterns to make sure internal artifacts aren't fetched from remotes, but this would require constantly updating the patterns with new internal artifacts.
Can I ask for a feature where if any version of an artifact exists in a local repository in a virtual repository, the remote repositories in the virtual repository are not used to find new versions. It could be a checkbox when configuring a virtual repository. This would prevent the entire class of vulnerability without further configuration, and would work in a way which is easy to explain to end users.
Thank you.
- contains
-
RTFACT-24989 Shadowing requests for third party during the virtual repo index merge for NuGet V3
- Done
- is duplicated by
-
- Closed
