GCP - Artifact Registry Persistence

Reading time: 3 minutes

Artifact Registry

For more information about Artifact Registry check:

GCP - Artifact Registry Enum

Dependency Confusion

• What happens if a remote and a standard repositories are mixed in a virtual one and a package exists in both?
  • The one with the highest priority set in the virtual repository is used
  • If the priority is the same:
    • If the version is the same, the policy name alphabetically first in the virtual repository is used
    • If not, the highest version is used

This technique can be useful for persistence and unauthenticated access as to abuse it it just require to know a library name stored in Artifact Registry and create that same library in the public repository (PyPi for python for example) with a higher version.

For persistence these are the steps you need to follow:

• Requirements: A virtual repository must exist and be used, an internal package with a name that doesn't exist in the public repository must be used.
• Create a remote repository if it doesn't exist
• Add the remote repository to the virtual repository
• Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository.
  Run something like:
  • gcloud artifacts repositories update --upstream-policy-file ...
• Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours!

For more information about dependency confusion check:

Dependency Confusion - HackTricks