All geek questions in one place

What security restrictions are set on Powershell scripts that are executed during the installation of the / init package of NuGet?

When you install a package from NuGet, it can run some Powershell scripts to configure (for example, exporting commands to be used in the package manager console).

I try (and fail) to find details of what these scripts can / cannot do. In particular, should one worry about malicious code? Can they read the file system, send web requests, etc.?

+6
source share
3 answers

When NuGet installs a PowerShell node, it checks what the current ExecutionPolicy is. If it is not unlimited, RemoteSigned or Bypass, it forces ExcecutionPolicy for RemoteSigned for the current process (devenv.exe).

PowerShell does not see the built-in scripts init.ps1, install.ps1, etc. as downloadable from the Internet, so there is nothing to stop a malicious script from doing anything on your computer so that your account has permissions.

At this point, all the creators of the NuGet package are pretty much part of the honor system. I believe that Ruby Gems has a similar situation.

NuGet really has the ability to use private package sources, so if security is important, I suggest you download and check all packages and allow packages to be installed only from these trusted sources.

+3
source

I will take it to someone from the NuGet team, but I'm pretty sure that they are executed under the current execution policy.

Here is the clip from my own nuget console:

PM> Get-ExecutionPolicy RemoteSigned

If I open PowerShell as an administrator and change the execution policy, nuget will report the change:

 PM> Get-ExecutionPolicy Restricted

In general, any default execution policy that you received on your computer by default also applies to the nuget console.

0
source

When you download a script from the Internet, if it is not installed using the installer, where you granted it elevated permissions for installation, the scripts are marked as blocked. You must enable (unlock) them by right-clicking on the scripts and selecting the "Unlock" button.

-2
source

Source: https://habr.com/ru/post/887122/

More articles:


All Articles