Preventing Namespace Confusion

Prerequisites

Repository Firewall license
One or more instances of the following repository managers connected to IQ Server version 106 or greater:
- Nexus Repository 3.30 or greater
- JFrog Artifactory version 2.4.4 or greater
  - Repository Firewall for JFrog Artifactory plugin
Quarantine enabled
Security-Namespace Conflict policy
- Created automatically when installing Repository Firewall

What are Namespace Confusion attacks?

A Namespace Confusion attack is a type of software supply chain attack that tricks a package manager into downloading a malicious component instead of a proprietary one. To do this, bad actors upload a component with the same name as a proprietary component to an ecosystem with no namespace.

When you install dependencies your package manager will download the malicious component from the public repository instead of using the internal one. Attackers often use high version numbers with their packages to prey on applications set to automatically download the most recent version of a dependency.

Preventing Namespace Confusion

Enabling Namespace Confusion Protection for repositories storing public open source components will block every Repository Firewall protected repository connected to IQ Server from downloading any public version of those components. This includes patched and rebuilt versions of public components and separate installations of Nexus Repository 3. If you are unsure if your repository contains public open source components, do not enable this feature.

Repository Firewall can prevent Namespace Confusion attacks. Repository Firewall stops these attacks by allowing you to identify repositories as storage for proprietary or internal components. Repository Firewall will block any component with the same name as proprietary component.

Component Namespaces (the component name or Group ID) in proprietary repositories are added to a global list in IQ Server. All public instances of a component with a name or Group ID will be blocked. This includes patched and rebuilt versions of components along with separate installations of Nexus Repository 3 connected to IQ Server. Repositories connected to a separate instance of IQ Server will not be effected.

Before enabling this feature move all public open source components into a separate repository, including patched and rebuilt components. This will prevent the proprietary repository from disrupting your development workflow. Administrators may use Content Selectors to ensure that users may only upload components with predefined namespaces.

Determining Namespaces depending on the repository format:

Default behaviour
1. The namespace (such as a Maven Group ID or npm Scope) is used.
2. If no namespace is available from step 1, then the name of the component (such as Artifact ID for Maven or Name for npm) is used.
apt, conda, r, conan - Namespace is determined by the component's name.

To protect a repository from dependency/namespace confusion in Nexus Repository 3:

Navigate to Nexus Repository 3 and sign in.
Click the in the navigation bar. This takes you to the administration menu.
Select Repositories from the sidebar.
Select the hosted repository with your proprietary components.
Click the checkbox under Proprietary Components
Click Save

Components quarantined to prevent namespace confusion can be viewed and released like any other quarantined component. See Managing the Quarantine for more information.

To protect a repository from dependency/namespace confusion in jFrog Artifactory:

Configure the local repository in the firewall.properties file as 'proprietary'. See JFrog Artifactory setup for more information.

Removing Components from the Namespace Confusion List

Components can be removed from the namespace confusion list. Removing a component from this list will allow you to download public versions of the removed component. This is useful if you uploaded a 3rd party component to a protected repository.

To remove a component from the Namespace Confusion List:

Disable proprietary components for the repository. This prevents the component from being re-added to the list.
Obtain the node-id of the repository instance. On a jFrog Artifactory instance the node-id can be found in the `firewall.repository.manager.id` property in the firewall.properties file. To find the node-id of a Nexus Repository 3 instance:
1. Navigate to the Nexus Repository 3 UI and log in.
2. Select the Administration tab.
3. Select System Information on the sidebar under Support
4. Record the node-Id
Obtain your repository Id, e.g npm-hosted.
Delete the component using the DELETE REST API route.
1. Send the request at /repositories/{repositoryManageNodeId}/{repositoryId}/proprietary/names. Successful requests return the HTTP 204 response.
  Example:
```
curl -u username:password -v -X DELETE http://localhost:8070/rest/integration/repositories/3EFF78A1-5F819609-7BC13C89-B90B90DF-DEF32AD1/maven-releases/proprietary/names
```
Re-enable proprietary repository protection.

Configuring Namespace Confusion Protection in IQ Server

You can configure the namespace confusion protection for individual component namespaces in IQ Server.

To configure, follow the instructions below.

Log into IQ Server with a user that has the Edit IQ Elements permission.
Click on the Orgs and Policies in the leftmost navigation bar and click Repositories.
Scroll down the Repositories page to view the Namespace Confusion Protection section.
1. see the Namespace Confusion Protection section in Repository Management
Namespace confusion protection configuration can be enabled or disabled using the toggle under the Enabled column.
1. If a component namespace is disabled, then it will not be used for Namespace Confusion Protection.