Hacker News new | ask | show | jobs
by jermo 2603 days ago
Seems like the Maven registry is susceptible to artifact hijacking.

Say I wan't to install artifacts from two GitHub users. I would have to add these two Maven repositories:

    - https://maven.pkg.github.com/USER1 
    - https://maven.pkg.github.com/USER2
In that case USER1 can publish an artifact with the same groupId/artifactId as USER2 and my Maven will happily install it without suspecting anything.

Another case - someone deletes their GH account and another user takes it: https://blog.sonatype.com/hijacking-of-a-known-github-id-go-...

Docs: https://help.github.com/en/articles/configuring-maven-for-us...
1 comments
soulofmischief 2603 days ago
I'm not familiar with maven, is there an equivalent of npm's scope feature?

As for account hijacking... I guess GH needs to track account deletions and append incrementing suffixes to usernames under the repository.

link
jermo 2603 days ago
There is in Gradle 5.1+ but not in Maven, afaik. They are using Maven in their examples, however.
link