4

A recently-published article demonstrates a way to make "typo-squatting" attacks on popular programming package managers. It singles out Python's pip, Ruby's gem and Node's npm systems, and shows that they have two things in common:

  1. Packages can be submitted and accepted automatically, with no manual review or human oversight
  2. Packages can cause the package manager to execute arbitrary "setup" code on the client system at install-time.

This means that it's possible to register a package with a name that's very similar to that of a popular package, and get your package (complete with a malicious setup script) installed anytime someone mistypes the package name.

This makes me wonder, does NuGet have these same two characteristics? Does it have any mechanism in place to mitigate attacks of this type?

Mason Wheeler
  • 83,213

1 Answers1

3

Packages can be submitted and accepted automatically, with no manual review or human oversight

Yes.

Packages can cause the package manager to execute arbitrary "setup" code on the client system at install-time.

The "old" project model allows running PowerShell scripts, so yes I would say this is also an issue for NuGet. Even the new ones are vulnerable in that as soon as they "run" their project importing the package, the assembly can just do something malicious.

Does it have any mechanism in place to mitigate attacks of this type?

I've seen a few organizations adopt the practice of banning the Microsoft NuGet repository, and set up a local server with vetted packages.

It's also worth pointing out that while Package Signing in issue #2577 appears to be coming, a writeup of it on the Nuget blog makes the distinct point that package signing will not completely address this:

This signing system is not trying to tell you that NuGet can verify that a package is the right version of Newtonsoft.Json, from James Newton-King. Instead, we can say that it’s Newtonsoft.Json from someone in control of the private key for some certificate X. Actually verifying that James Newton-King is in control of that certificate is a secondary process that we are not providing here.

Presumably then this signing will be available to anyone, and a squatter could simply just sign their package.

https://github.com/NuGet/Home/issues/2974#issuecomment-225949342

Robert Harvey
  • 200,592