When you install a package from NuGet, it can run some Powershell scripts to set things up (such as exporting commands to be used in the Package Manager console).
I'm trying (and failing) to find details of what these scripts can/can't do. Specifically - should we be worried about malicious code in these? Can they read the filesystem, send web requests, etc.?
NuGet supports Install−Package, Update−Package, Find-Package, and Get−Package command and if Nuget package is not installed in your system, you may not find a package or install any package. For more reference about Nuget, check the websites below. To install NuGet, we need to use the Install−PackageProvider command.
To manage your package sources, select the Settings icon or select Tools > Options. In the Options window, expand the NuGet Package Manager node and select Package Sources. To add a source, select +, edit the Name, enter the URL or path in Source, and then select Update.
When NuGet sets up the PowerShell host, it checks to see what the current ExecutionPolicy is. If it is not Unrestricted, RemoteSigned, or Bypass, it forces the ExcecutionPolicy to RemoteSigned for the current process (devenv.exe).
PowerShell does not see the embedded scripts init.ps1, install.ps1, etc. as being downloaded from the Internet, so there is nothing preventing a malicious script from doing anything on your machine that your account has permissions to do.
At this point, all NuGet package creators are pretty much on the "honor" system. I believe Ruby Gems have a similar situtation.
NuGet does have the ability to use private package sources, so if security is critical, I suggest you download and vet all packages, and only allow installing packages from these trusted sources.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With