Home » Security Bloggers Network » Namespace Confusion: Minimizing Risk with Nexus Repository
Namespace Confusion: Minimizing Risk with Nexus Repository
In case you’re here and you’re not sure why you should care about namespaces and routing rules, I highly recommend you start here.
Ok now that you know why this matters, let’s talk about ways that you can use Nexus Repository to help minimize your risk.
How to Protect Yourself with Nexus Repository Manager
If you’re using NXRM 3, you can protect your organization immediately using a feature called repository routing rules.
Routing rules let you specify which components can be downloaded from which repositories, using regular expressions that filter component paths. This can be used to prevent coordinates associated with your own organization from being fetched from remote repositories.
Here is an example routing rule that blocks any Sonatype-namespaced Java components from being fetched from a proxy of maven central:
The regular expression you need varies from ecosystem to ecosystem, because the repository/path structures are different. Here are examples for npm, PyPI, RubyGems and NuGet.
Blocking an Entire Namespace
Blocking org-internal coordinates is a lot easier if you’re using namespaces that clearly identify components made by your organization. npm coordinates can have explicit namespaces, so you can filter them with a single expression:
Ecosystem |
Blocking Rule for a Namespace/Scope |
npm |
^/@sonatype/.*$ |
Blocking by Component Name Prefix
Some ecosystems don’t support explicit namespaces, but in many cases component names have a prefix that identifies the publishing organization.
Ecosystem |
Blocking Rule for a Component Name Prefix |
PyPI |
^/.*/importlib_.*$ |
RubyGems |
^/.*/rspec-.*$ |
NuGet |
^/DotNetNuke..*$ |
Blocking Specific Components
If your organization creates components that are neither namespaced nor prefixed, you’ve got more work to do. You’ll need to create a blocking matcher for every component that your organization uses:
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Michael Prescott. Read the original post at: https://blog.sonatype.com/namespace-confusion-minimizing-risk-with-nexus-repository