Preventing Namespace Confusion

NEW IN IQ Server 106 and Nexus Repository 3.30

The features discussed in this section require Nexus Repository Pro and IQ Server with the following licenses: Repository and Firewall.


What are Namespace Confusion Attacks?

A Namespace Confusion attack is a type of software supply chain attack that tricks a package manager into downloading a malicious component instead of a proprietary one. To do this, bad actors upload a component with the same name as a proprietary component to an ecosystem with no namespace. 

When you install dependencies your package manager will download the malicious component from the public repository instead of using the internal one. Attackers often use high version numbers with their packages to prey on applications set to automatically download the most recent version of a dependency. 

Preventing Namespace Confusion

Enabling Namespace Confusion Protection for repositories storing public open source components will block every Firewall protected repository connected to your IQ Server from downloading any public version of those components. This includes patched and rebuilt versions of public components and separate installations of Nexus Repository.

If you are unsure if your repository contains public open source components, do not enable this feature.

Nexus Firewall can prevent Namespace Confusion attacks. Firewall stops these attacks by allowing you to identify repositories as storage for proprietary or internal components.  Firewall will block any component with the same name as proprietary component. 

Component Namespaces (the component name or Group ID) in proprietary repositories are added to a
global list in IQ Server. All public instances of a component with a name or Group ID will be blocked. This includes patched and rebuilt versions of components along with separate installations of Nexus Repository connected to your IQ Server. Repositories connected to a separate instance of IQ Server will not be effected. 

Before enabling this feature move all public open source components into a separate repository, including patched and rebuilt components. This will prevent the proprietary repository from disrupting your development workflow. Administrators may use Content Selectors to ensure that users may only upload components with predefined namespaces. 

Determining Namespaces:

  • Maven - Namespaces for Maven components are determined by the component's Group ID
  • Other Ecosystems - Namespace is determined by the component's name.

To protect a repository from dependency/namespace confusion:

  1. Navigate to Nexus Repository and Sign In.
  2. Click the in the navigation bar This takes you to the administration menu.
  3. Select Repositories from the sidebar.
  4. Select the hosted repository with your proprietary components.

  5. Click the checkbox under Proprietary Components

  6. Click Save

Components quarantined to prevent namespace confusion can be viewed and released like any other quarantined component. See Managing the Quarantine for more information. 

Removing Components from the Namespace Confusion List

Components can be removed from the namespace confusion list. Removing a component from this list will allow you to download public versions of the removed component. This is useful if you uploaded a 3rd party component to a protected repository. 

To remove a component from the Namespace Confusion List:

  1. Disable proprietary components for the repository. This prevents the component from being re-added to the list. 
  2. Obtain the node-id of the Nexus Repository instance. To find the node-id:
    1. Navigate to the Nexus Repository UI and log in. 
    2. Select the Administration tab.
    3. Select System Information on the sidebar under Support
    4. Record the node-Id
      Node-id location in NXRM
  3. Obtain your repository Id, e.g npm-hosted.
  4. Delete the component using the DELETE REST API route. 
    1. Send the request at /repositories/{repositoryManageNodeId}/{repositoryId}/proprietary/names. Successful requests return the HTTP 204 response. 

      curl -u username:password -v -X DELETE http://localhost:8070/rest/integration/repositories/3EFF78A1-5F819609-7BC13C89-B90B90DF-DEF32AD1/maven-releases/proprietary/names

  5. Re-enable proprietary repository protection.