I am currently investigating an internal security incident, where initially it was believed someone tried to attack a user by tampering with custom artifact content. What I need to understand is how nexus behaves when the answer to a download request from a proxied repo is not the content expected or a HTTP 404, but a webpage containing error responses or redirects.
That was recognized, as a user scanned contents of .module files (Gradle Module Metadata - which is gradles own variant of a maven pom and contains JSON content) and found that its content was an html page with a redirect. That redirect goes to a qt-jambi.org, formerly the site for an open source project, now we suspect a compromised site.
Following setup, we proxy for legacy reasons http://maven.openimaj.org/. On that server runs a nexus 3 instance (unfortunately it seems to not be protected in any way). The web-page content in the artifact contains a redirect to qt-jambi, thus we believe at one point in time qt-jambi hosted a nexus repo themselves that is still proxied by openimaj.
My question is, how does the nexus 3 instance on openimaj behave, when it tries to download an artifact from the qt-jambi site and instead of getting an HTTP 404, it receives a webpage that contains a redirect or another form of html page containing error information.
Does nexus 3 record that as a failed attempt, or happily store that web page content in the file contents of that artifact and thus serves that back to us?
What I saw when browsing the contents of openimaj, is that there were web page contents in an artifacts plus its checksum files (so, in. a .jar file, the .module file, and .sh1, .sh256 and .md5).
If nexus 3 does not behave that way, I would assume someone maliciously placed those crafted files there, because openimaj has no protection whatsoever and I would have to treat this much more seriously. In the other case, I can assume that’s just not very favourable behaviour from nexus 3, but no malicious intent.
Thanks for any help with this in advance.