Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    SECURITY VULNERABILITY: nuget cli requires anonymous access to feed

    Scheduled Pinned Locked Moved Support
    7 Posts 2 Posters 8 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      marcus_1459
      last edited by

      This has been mentioned in a number of forum posts but I do not believe the ramifications of the workaround have been fully understood.
      https://forums.inedo.com/topic/622
      https://forums.inedo.com/topic/345/proget-nuget-push-always-asks-for-credentials
      https://forums.inedo.com/topic/526/push-nupkg-to-proget-failing-with-authentication-error
      And as I have just discovered you get the same if you try to download from proget using nuget cli, in that you get prompted for credentials even though they have been previously supplied.

      The workaround is to provide anonymous access to the feed.

      For downloading it is possible to limit the access to just view the feed but even this is a huge security hole giving access to package information however if users are not aware to restrict they could potentially leave an open path for non approved download and potential data breach.

      From enabling statics on package feeds it looks like once authenticated it's then allowing the download via nuget using anonymous access, whether this is a design of nuget or of proget I don't know. But either way this anonymous loophole needs fixing giving the ability to download nuget packages via the command line using authenticated accounts only.

      1 Reply Last reply Reply Quote 0
      • atrippA Offline
        atripp inedo-engineer
        last edited by

        Hi; I'm not really sure what the issue is?

        NuGet will prompt for credentials if it's not an anonymous feed, that's by design. Here is information on how to store credentials with nuget.exe: https://docs.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds

        Once credentials are stored, then you won't be prompted again. That's also by design of nuget.

        M 1 Reply Last reply Reply Quote 0
        • M Offline
          marcus_1459
          last edited by

          The problem is - if you also look at the previous posts,
          If you have want a non-interactive session using nuget cli and you have stored your credentials previously you still get prompted to enter them. People are saying the workaround for that is to to enable anonymous - which creates a security risk.

          1 Reply Last reply Reply Quote 0
          • M Offline
            marcus_1459 @atripp
            last edited by

            @atripp said in SECURITY VULNERABILITY: nuget cli requires anonymous access to feed:

            Once credentials are stored, then you won't be prompted again. That's also by design of nuget.

            Except they do prompt

            1 Reply Last reply Reply Quote 0
            • atrippA Offline
              atripp inedo-engineer
              last edited by

              Those posts are over 5 years old, and nuget.exe has made a lot of improvements since then. Back then, it wasn't easy to authenticate to private feeds.

              So, if you follow the article I linked, by Microsoft, it will help you configure nuget.exe to talk to an authenticated feed in ProGet. If you're continuing to have trouble, the problem is not of ProGet, but of some sort of nuget.exe configuration. Your best bet will to do a wide search, like "NuGet.exe prompting for credentials".

              M 1 Reply Last reply Reply Quote 0
              • M Offline
                marcus_1459 @atripp
                last edited by

                Oh google - now why hadn't I thought of that or indeed looked at the Microsoft web page a few days ago.

                Just so I'm perfectly clear - what is the exact command line to set the credentials in the format that proget prefers into the command line. (using dummy feedname)

                1 Reply Last reply Reply Quote 0
                • atrippA Offline
                  atripp inedo-engineer
                  last edited by

                  I'm sorry that my suggestion offended you.

                  ProGet doesn't "prefer" anything. It's a standard, authenticated feed. If it works in your browser (i.e. the feed endpoint URL), then it should work in NuGet. if it doesn't work in NuGet, then NuGet isn't being configured correctly.

                  "Behind the scenes", NuGet uses "basic authentication" to transmit those credentials to ProGet. It's the same mechanism your browser uses when you navigate to the feed API (i.e. a pop-up).

                  Credentials are stored in the nuget.config; the link I provided shows you how to edit that configuration file. You can either edit it yourself or use the sources command-line argument.

                  https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file#packagesourcecredentials

                  You can attach a tool like Fiddler to NuGet.exe, and see what it's sending in different cases. It might be a NuGet bug.

                  1 Reply Last reply Reply Quote 0

                  Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                  Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                  With your input, this post could be even better 💗

                  Register Login
                  • 1 / 1
                  • First post
                    Last post
                  Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation