Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

SECURITY VULNERABILITY: nuget cli requires anonymous access to feed



  • This has been mentioned in a number of forum posts but I do not believe the ramifications of the workaround have been fully understood.
    https://forums.inedo.com/topic/622
    https://forums.inedo.com/topic/345/proget-nuget-push-always-asks-for-credentials
    https://forums.inedo.com/topic/526/push-nupkg-to-proget-failing-with-authentication-error
    And as I have just discovered you get the same if you try to download from proget using nuget cli, in that you get prompted for credentials even though they have been previously supplied.

    The workaround is to provide anonymous access to the feed.

    For downloading it is possible to limit the access to just view the feed but even this is a huge security hole giving access to package information however if users are not aware to restrict they could potentially leave an open path for non approved download and potential data breach.

    From enabling statics on package feeds it looks like once authenticated it's then allowing the download via nuget using anonymous access, whether this is a design of nuget or of proget I don't know. But either way this anonymous loophole needs fixing giving the ability to download nuget packages via the command line using authenticated accounts only.


  • inedo-engineer

    Hi; I'm not really sure what the issue is?

    NuGet will prompt for credentials if it's not an anonymous feed, that's by design. Here is information on how to store credentials with nuget.exe: https://docs.microsoft.com/en-us/nuget/consume-packages/consuming-packages-authenticated-feeds

    Once credentials are stored, then you won't be prompted again. That's also by design of nuget.



  • The problem is - if you also look at the previous posts,
    If you have want a non-interactive session using nuget cli and you have stored your credentials previously you still get prompted to enter them. People are saying the workaround for that is to to enable anonymous - which creates a security risk.



  • @atripp said in SECURITY VULNERABILITY: nuget cli requires anonymous access to feed:

    Once credentials are stored, then you won't be prompted again. That's also by design of nuget.

    Except they do prompt


  • inedo-engineer

    Those posts are over 5 years old, and nuget.exe has made a lot of improvements since then. Back then, it wasn't easy to authenticate to private feeds.

    So, if you follow the article I linked, by Microsoft, it will help you configure nuget.exe to talk to an authenticated feed in ProGet. If you're continuing to have trouble, the problem is not of ProGet, but of some sort of nuget.exe configuration. Your best bet will to do a wide search, like "NuGet.exe prompting for credentials".



  • Oh google - now why hadn't I thought of that or indeed looked at the Microsoft web page a few days ago.

    Just so I'm perfectly clear - what is the exact command line to set the credentials in the format that proget prefers into the command line. (using dummy feedname)


  • inedo-engineer

    I'm sorry that my suggestion offended you.

    ProGet doesn't "prefer" anything. It's a standard, authenticated feed. If it works in your browser (i.e. the feed endpoint URL), then it should work in NuGet. if it doesn't work in NuGet, then NuGet isn't being configured correctly.

    "Behind the scenes", NuGet uses "basic authentication" to transmit those credentials to ProGet. It's the same mechanism your browser uses when you navigate to the feed API (i.e. a pop-up).

    Credentials are stored in the nuget.config; the link I provided shows you how to edit that configuration file. You can either edit it yourself or use the sources command-line argument.

    https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file#packagesourcecredentials

    You can attach a tool like Fiddler to NuGet.exe, and see what it's sending in different cases. It might be a NuGet bug.


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation