Confirm AAW Jfrog - Authentication\Data Exfiltration
esneek opened this issue · 1 comments
esneek commented
The VRS project would like to open the flow to AAW Jfrog for package management. Before that, we would like to confirm the following:
- users cannot upload packages
- anyone can access it (not authenticated)
- the process to upload packages - who does it?
- If we open the flow to AAW Jfrog, there is not risk that users can upload files then access from the Internet.
Souheil-Yazji commented
- users cannot upload packages
- anyone can access it (not authenticated)
- the process to upload packages - who does it? Answer: we have a group with push permissions, and we also have an admin group for Jose & Myself. Both have the ability to push packages to a private test repo, no other repos allow push.
- If we open the flow to AAW Jfrog, there is not risk that users can upload files then access from the Internet. Answer users won't be able to push packages without 1. Authenticating 2. Having a repo created for them 3. being granted the permissions to push to that repo.
Let me know if you have any other questions.