How can I avoid security risks by using Exclude patterns?

How to use Include/Exclude patterns?

AuthorFullName__c
Hanan Kemelman
articleNumber
000004995
ft:sourceType
Salesforce
FirstPublishedDate
2021-02-08T16:03:42Z
lastModifiedDate
2023-06-21
VersionNumber
5
When using a Virtual repository that aggregates local and remote repositories, any private artifact that is deployed, is stored within a local repository and available only for authorized internal use.

However, consider what happens if an internal artifact is being requested via the virtual repository and unintentionally the request is directed outside the organization. (As it being searched via the configured remote repository aggregated by the virtual)

This could happen for several reasons. For example:
  • There is a simple typo in the requested artifact name
  • The developer has requested a snapshot with a version number that does not exist in the local repository.
  • The developer requested an internal package without specifying a version

In these cases, as Artifactory will not find the artifact inside the local repository, it will continue to search for it in the defined remote repositories, potentially exposing the details of the query, including the full artifact name, which may include sensitive business information.

Furthermore, if an attacker obtained the internal package name, he may deploy a malicious package with the same name to a public repository.

This can be avoided by using Exclude patterns for the remote repositories.

The best practice would be to have all the remote repositories under a virtual repository and to specify an Exclude pattern for internal packages to that virtual repository. In this fashion, no requests for internal packages will be made to remote repositories.