However, consider what happens if an internal artifact is being requested via the virtual repository and unintentionally the request is directed outside the organization. (As it being searched via the configured remote repository aggregated by the virtual)
This could happen for several reasons. For example:
- There is a simple typo in the requested artifact name
- The developer has requested a snapshot with a version number that does not exist in the local repository.
- The developer requested an internal package without specifying a version
In these cases, as Artifactory will not find the artifact inside the local repository, it will continue to search for it in the defined remote repositories, potentially exposing the details of the query, including the full artifact name, which may include sensitive business information.
Furthermore, if an attacker obtained the internal package name, he may deploy a malicious package with the same name to a public repository.
This can be avoided by using Exclude patterns for the remote repositories.
The best practice would be to have all the remote repositories under a virtual repository and to specify an Exclude pattern for internal packages to that virtual repository. In this fashion, no requests for internal packages will be made to remote repositories.