composer firewall demo - michaelmworthington/codesamples GitHub Wiki

Introduction

This page walks through the steps to set up NXRM and a Alpine Docker container to test apk Firewall using https://packagist.org/

See the community docs at  https://github.com/sonatype-nexus-community/nexus-repository-composer

Table of Contents

Prerequisites

  • IQ Server installed and running
  • NXRM 3 installed and running and configured with the IQ Server
  • Docker for Mac installed and running

Step 1. Create a new Proxy Repository in NXRM

Use https://packagist.org/ as the Remote URL. Accept default values for the remainder of the settings.

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

docker run -it --rm composer bash

unlike the centos image used in the Yum Firewall Demo, this image runs the 'composer' command when starting the container, rather than plain 'bash'. since i want to run a couple composer commands, force docker to run bash.

Step 4. Use the composer command line to set up the repo sources

Create the following composer.json

{
    "repositories": [
        {
          "type": "composer",
          "url": "http://host.docker.internal:8083/nexus/repository/composer-packagist.org-proxy/"
        },
        {
          "packagist.org": false
        }
    ],
    "config": {
        "secure-http": false
    },
    "require": {
        "phpdocumentor/type-resolver": "^1.4"
    }
}

Step 5. Use composer to Install a package

composer install

Observe the inbound requests to NXRM in the request.log file:

172.18.0.1 - - [11/Nov/2020:23:10:04 -0500] "GET /nexus/repository/composer-packagist.org-proxy/packages.json HTTP/1.1" 200 - 11794748 222 "Composer/2.0.6 (Linux; 5.4.39-linuxkit; PHP 7.4.12; curl 7.69.1)" [qtp398150537-422] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:23:10:05 -0500] "GET /nexus/repository/composer-packagist.org-proxy/p/phpdocumentor/type-resolver.json HTTP/1.1" 200 - 28143 14 "Composer/2.0.6 (Linux; 5.4.39-linuxkit; PHP 7.4.12; curl 7.69.1)" [qtp398150537-430] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:23:10:05 -0500] "GET /nexus/repository/composer-packagist.org-proxy/packages.json HTTP/1.1" 200 - 11794748 180 "Composer/2.0.6 (Linux; 5.4.39-linuxkit; PHP 7.4.12; curl 7.69.1)" [qtp398150537-413] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:23:10:06 -0500] "GET /nexus/repository/composer-packagist.org-proxy/p/phpdocumentor/type-resolver.json HTTP/1.1" 200 - 28143 15 "Composer/2.0.6 (Linux; 5.4.39-linuxkit; PHP 7.4.12; curl 7.69.1)" [qtp398150537-430] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:23:10:06 -0500] "GET /nexus/repository/composer-packagist.org-proxy/p/phpdocumentor/reflection-common.json HTTP/1.1" 200 - 12607 47 "Composer/2.0.6 (Linux; 5.4.39-linuxkit; PHP 7.4.12; curl 7.69.1)" [qtp398150537-413] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:23:10:07 -0500] "GET /nexus/repository/composer-packagist.org-proxy/phpdocumentor/reflection-common/2.2.0/phpdocumentor-reflection-common-2.2.0.zip HTTP/1.1" 200 - 8253 27 "Composer/2.0.6 (Linux; 5.4.39-linuxkit; PHP 7.4.12; curl 7.69.1)" [qtp398150537-430] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"
172.18.0.1 - - [11/Nov/2020:23:10:07 -0500] "GET /nexus/repository/composer-packagist.org-proxy/phpdocumentor/type-resolver/1.4.0/phpdocumentor-type-resolver-1.4.0.zip HTTP/1.1" 200 - 36087 39 "Composer/2.0.6 (Linux; 5.4.39-linuxkit; PHP 7.4.12; curl 7.69.1)" [qtp398150537-413] host=host.docker.internal:8083 forwarded-proto=- forwarded-host=- forwarded-port=- forwarded-server=- "new-forwarded=-" "RUT=-" "foo=-"

Step 6. Browse the Proxy Repo

Step 7. Go to the Firewall Report

Repo List

IQ Server Report

Step 8. Test Quarantine

jqueryui 1.11.4 has CVE-2016-7103 with CVSS 6.1, so you'll need to have Quarantine enabled in the capability you created in step 2 and Proxy=Fail in your Security-Medium policy in IQ Server

composer require components/jqueryui:1.11.4

Console Output

Repo List

IQ Server Report

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can reproduce the 403 - Quarantined error by clicking on the "Path" link: http://host.docker.internal:8083/nexus/repository/composer-packagist.org-proxy/components/jqueryui/1.11.4/components-jqueryui-1.11.4.zip

You can view the component information panel (CIP) right in NXRM

Not Supported

Home | Copyright © 2020.

⚠️ **GitHub.com Fallback** ⚠️