How to use Include/Exclude patterns?

Hanan Kemelman
2021-02-08 16:03

Subject:

How to use Include/Exclude patterns?

 

Introduction:

Artifactory can limit the resolution or deployment of artifacs by using the exclude/include pattern. This is a useful feature that could help to avoid possible security risks.

 

What are Include/Exclude patterns?

 

As the name suggests, Include/Exclude patterns are a set of  Ant-like patterns in the form of “x/y/**/z/*” that can be configured on a repository level to limit the deployment, resolution, and searches of artifacts. 

Include patterns are a list of patterns to include when processing artifact requests. Only artifacts matching one of the “include patterns” configured are served. (by default include all “**/*”)

Exclude patterns are a list of patterns to exclude when evaluating artifact requests according to the “exclude patterns” configured. (by default exclude none)

 

How can I avoid security risks by using Exclude patterns?

 

When using a Virtual repository that aggregates local and remote repositories, any private artifact that is deployed, is stored within a local repository and available only for authorized internal use.

However, consider what happens if an internal artifact is being requested via the virtual repository and unintentionally the request is directed outside the organization. (As it being searched via the configured remote repository aggregated by the virtual)

This could happen for several reasons. For example:

  • There is a simple typo in the requested artifact name

  • The developer has requested a snapshot with a version number that does not exist in the local repository.

  • The developer requested an internal package without specifying a version

 

In these cases, as Artifactory will not find the artifact inside the local repository, it will continue to search for it in the defined remote repositories, potentially exposing the details of the query, including the full artifact name, which may include sensitive business information.

Furthermore, if an attacker obtained the internal package name, he may deploy a malicious package with the same name to a public repository.

 

This can be avoided by using Exclude patterns for the remote repositories.

The best practice would be to have all the remote repositories under a virtual repository and to specify an Exclude pattern for internal packages to that virtual repository. In this fashion, no requests for internal packages will be made to remote repositories.

Examples:

The Include/Exclude patterns are set in the repository’s Basic Configuration.

Below you will find an example for two popular packages, NPM, and Maven. With that in mind, the process is similar for other packages and mostly relies on the package layout.

 

NPM:

“.npm/@my/**” Blocking the scope @my from remote resolution.

 

“.npm/my-*/**” Blocking packages with a my prefix from remote resolution.

 

“.npm/secret/**” Blocking the package secret from remote resolution.

 

Maven:

 

“com/acme/exp-project/**” Blocking remote resolution of artifacts under com/acme/exp-project/