Maven 高版本 (3.8.1+) Blocked mirror for repositories

最新推荐文章于 2023-09-05 11:03:42 发布

徴心

最新推荐文章于 2023-09-05 11:03:42 发布

阅读量1.6k

点赞数

分类专栏：解决问题文章标签： maven java 安全

本文为博主原创文章，未经博主允许不得转载。

本文链接：https://blog.csdn.net/q2365921/article/details/126979202

版权

解决问题专栏收录该内容

20 篇文章 0 订阅

订阅专栏

在maven高版本中如果配置了http的mirror地址如下

<mirror>
            <id>maven</id>
            <mirrorOf>maven</mirrorOf>
            <name>maven</name>
            <url>http://repo2.maven.org/maven2</url>
 </mirror>

那么maven是会抛出Blocked mirror错误,具体原因见这个链接https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

CVE-2021-26291
We received a report from Jonathan Leitschuh about a vulnerability of custom repositories in dependency POMs. We've split this up into three separate issues:

Possible Man-In-The-Middle-Attack due to custom repositories using HTTP
More and more repositories use HTTPS nowadays, but this hasn't always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with <blocked> parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning any external URL using HTTP.
The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.

Possible Domain Hijacking due to custom repositories using abandoned domains
Sonatype has analyzed which domains were abandoned and has claimed these domains.

Possible hijacking of downloads by redirecting to custom repositories
This one was the hardest to analyze and explain. The short story is: you're safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.

不过也是有解决方法的,可以配置一个规则将对应的域名映射到实际的ip

解决方法

参考下面的配置,先去ping一下http的域名得到实际ip,然后更新mirrorOf和url两个字段即可,不过最好的方法还是升级https最方便

 <mirror>
          <id>maven-default-http-blocker</id>
          <mirrorOf>external:http://repo2.maven.org/maven2*</mirrorOf>
          <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
          <url>http://163.114.130.31</url>
          <blocked>false</blocked>
 </mirror>

徴心

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
Maven 高版本 (3.8.1+) Blocked mirror for repositories

在maven高版本中如果配置了http的mirror地址如下那么maven是会抛出Blocked mirror错误,具体原因见这个链接https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291不过也是有解决方法的,可以配置一个规则将对应的域名映射到实际的ip。
复制链接

扫一扫