Resolution of security advisories is breaking artifactory proxying.

[jonl-percsolutions-com]

In your issue, please include:

• Dart version and tooling diagnostic info (dart info)

  08:56:01  + flutter --version
  08:56:01  Flutter 3.22.2 • channel stable • https://github.com/flutter/flutter.git
  08:56:01  Framework • revision 761747bfc5 (3 days ago) • 2024-06-05 22:15:13 +0200
  08:56:01  Engine • revision edd8546116
  08:56:01  Tools • Dart 3.4.3 • DevTools 2.34.3

We are utilizing artifactory to proxy pub.dev internally. After upgrading to our flutter sdks recently, we have begun receiving failures in resolution because dart pub attempts to pull an endpoint at <packagname>/advisories. When artifactory pulls this, it expects <packagname> to be a folder, but <packagename> is not a folder.

I can't tell, however, if the problem lies in artifactory or the addition of advisory resolution in pub get. Should dart be using the PUB_HOSTED_URL for pulling advisories at all?

This can be overridden temporarily by setting PUB_HOSTED_URL=pub.dev, but this goes against our compliance requirements.

Resolution example logs:

08:56:06  IO  : HTTP GET https://<artifactory>/artifactory/pub-dart/api/packages/http
08:56:06      | Accept: application/vnd.pub.v2+json
08:56:06      | authorization: <censored>
08:56:06      | user-agent: Dart pub 3.4.3

"archive_url":"https://pub.dev/api/archives/http-1.2.1.tar.gz","archive_sha256":"761a297c042deedc1ffbb156d6e2af13886bb305c2a343a4d972504cd67dd938","published":"2024-02-15T23:25:27.572746Z"}],"advisoriesUpdated":"2024-04-28T09:27:57.869544Z","_fetchedAt":"2024-06-08T12:56:00.576058"

08:56:07  IO  : HTTP GET https://<artifactory>/artifactory/pub-dart/api/packages/http/advisories
08:56:07      | Accept: application/vnd.pub.v2+json
08:56:07      | authorization: <censored>
08:56:07      | user-agent: Dart pub 3.4.3
08:56:07  IO  : HTTP response 400  for GET https://<artifactory>/artifactory/pub-dart/api/packages/http/advisories
08:56:07      | took 0:00:00.244149
08:56:07      | x-artifactory-id: f54ca12de86c97af:5962d792:18ff6513b4c:-8000
08:56:07      | connection: keep-alive
08:56:07      | date: Sat, 08 Jun 2024 12:56:03 GMT
08:56:07      | transfer-encoding: chunked
08:56:07      | x-jfrog-version: Artifactory/7.84.14 78414900
08:56:07      | content-type: application/json;charset=ISO-8859-1
08:56:07      | x-content-type-options: nosniff
08:56:07      | x-artifactory-node-id: <artifactory>

Response from artifactory when attempting to retrieve http/advisories

{
    "errors": [
        {
            "status": 400,
            "message": "Rejected artifact download request: Parent api/packages/http must be a folder"
        }
    ]
}

[lrhn]

Does sound like an Artifactory issue. The error message is reported by Artifactory, so it may be a configuration issue.

Could it be an error caused by the orginal HTTP request responding with a "not-found" error, which is fine for Pub, it takes it as there being no advisories, but the proxy can't handle a failing request well?

[sigurdm]

Seems to me to be a duplicate or at least related to https://github.com/dart-lang/pub/issues/4269

The proxying need to also proxy the http/advisories to be fully compliant. See https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md#list-security-advisories-for-a-package

The crash should be fixed in dart 3.5 where this will show up as a warning instead of a crash.

cc @szakarias

[sigurdm]

We should probably consider making a cherry pick of the fix into 3.4.

[jonl-percsolutions-com]

We should probably consider making a cherry pick of the fix into 3.4.

Would it also be possible to add a global flag to ignore advisories in some scenarios, like CI/CD. Cause I think there is a second issue that will need to be resolved by artifactory in the handling and proxying of these endpoints.

I have seen behavior where IF <package>/advisories is pulled by artifactory BEFORE <package>, the it creates and http fold containing the advisories.

I believe this scenario can happen when local cache resolution occurs for a package and it attempts to retrieve the advisories and artifactory cache for a package is cleared.

So there is definitely an issue to open with artifactory.

I was looking but I don't see any specific documentation on how the advisories are supposed to work from an api perspective? I would like to open an issue with artifactory, but would like to have some understanding on that before doing so.

[jonasfj]

Documentation is here: https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md

In short there is:

• (A) An /api/packages/<package>/advisories end-point, which returns advisories.
• (B) An advisoriesUpdated property in the version-listing API response.

When (B) is present (A) is required.

Context:

• (B) was added relatively recently (like late 2023 early 2024).
• jFrog artifactory did their pub logic back in 2022 (don't know all the details of how it works).
• Dart 3.5 should carry a fix such that missing advisory end-point (A) only causes a warning for 3rd-party repositories.

I dropped a line to some jfrog people, though I'm not sure my contacts are still active -- it's been a while :rofl:

---

For the record, this is a dart pub client issue: https://github.com/dart-lang/pub

[sigurdm]

This is fixed in dart 3.4.4

[igor-gumush]

FYI, seems like you are using the wrong URL in RT. Should be: "https:///artifactory/api/pub/pub-dart/http"