Confirm AAW Jfrog - Authentication\Data Exfiltration #1958

esneek · 2024-06-07T12:51:57Z

The VRS project would like to open the flow to AAW Jfrog for package management. Before that, we would like to confirm the following:

users cannot upload packages
anyone can access it (not authenticated)
the process to upload packages - who does it?
If we open the flow to AAW Jfrog, there is not risk that users can upload files then access from the Internet.

Souheil-Yazji · 2024-09-10T12:34:36Z

users cannot upload packages
anyone can access it (not authenticated)
the process to upload packages - who does it? Answer: we have a group with push permissions, and we also have an admin group for Jose & Myself. Both have the ability to push packages to a private test repo, no other repos allow push.
If we open the flow to AAW Jfrog, there is not risk that users can upload files then access from the Internet. Answer users won't be able to push packages without 1. Authenticating 2. Having a repo created for them 3. being granted the permissions to push to that repo.

Let me know if you have any other questions.

esneek added kind/bug Something isn't working triage/support labels Jun 7, 2024

Souheil-Yazji closed this as completed Sep 10, 2024

Provide feedback