search

NuGet / Home

Repo for NuGet Client issues
Other
1.5k stars 253 forks source link

Warn package consumers when a package might automatically run code #12505

Open JonDouglas opened 1 year ago

JonDouglas commented 1 year ago

NuGet Product(s) Involved

Visual Studio Package Management UI

The Elevator Pitch

When a user is installing a package that may contain a concept of running arbitrary code on an event such as install, build, init, etc, they should be warned with a small security banner or affordance regarding the experience and when it will occur.

A banner might look like the following:

Automatic Scripts init.ps1 scripts are run when the package is installed or when you open the PowerShell console.

Where the variable can be init.ps1, install.ps1, uninstall.ps1, MSBuild targets/task, etc and the respective behavior of when it happens (install, build, powershell init, etc)

This could be a helpful affordance for a user of unexpected behavior or potentially report a security issue to the NuGet team without having to install or inspect the package.

Additional Context and Details

No response

ThioJoe commented 1 year ago

Yes I agree, it's a major security issue: https://www.bleepingcomputer.com/news/security/hackers-target-net-developers-with-malicious-nuget-packages/