Make NuGet service index publicly accessible #21242
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
silverwind
added
the
topic/security
|
So, unauthenticated clients can enumerate NuGet package names? Anything else exposed? |
GiteaBot
added
the
lgtm/need 2
No, that would be really bad. The service index exposes the capabilities and endpoints of the NuGet registry. All other requests are authenticated. {
"version": "3.0.0",
"resources": [
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
"@type": "SearchQueryService"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
"@type": "SearchQueryService/3.0.0-beta"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
"@type": "SearchQueryService/3.0.0-rc"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
"@type": "RegistrationsBaseUrl"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
"@type": "RegistrationsBaseUrl/3.0.0-beta"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
"@type": "RegistrationsBaseUrl/3.0.0-rc"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/package",
"@type": "PackageBaseAddress/3.0.0"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget",
"@type": "PackagePublish/2.0.0"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/symbolpackage",
"@type": "SymbolPackagePublish/4.9.0"
}
]
} |
GiteaBot
added
lgtm/need 1
|
I already adjusted an existing test for a normal and a private user. |
wxiaoguang
reviewed
Sep 24, 2022
| r.Delete("/{id}/{version}", nuget.DeletePackage) | ||
| }, reqPackageAccess(perm.AccessModeWrite)) | ||
| r.Get("/symbols/{filename}/{guid:[0-9a-f]{32}}FFFFFFFF/{filename2}", nuget.DownloadSymbolFile) | ||
| r.Get("/query", nuget.SearchService) |
There was a problem hiding this comment.
LGTM, while I think it needs more comments about why there is no permission check for it.
And, maybe someone will worry about "attackers can detect private user names" again, while I think it's acceptable and that's cost of using NuGet package registry.
There was a problem hiding this comment.
And, maybe someone will worry about "attackers can detect private user names" again, while I think it's acceptable and that's cost of using NuGet package registry.
You can detect that with the /users/{user} api too, so I see no difference.
There was a problem hiding this comment.
I think that's a definition problem of private. Private like "there is a locked door I know something is behind" or private like "which door?".
wxiaoguang
approved these changes
Sep 24, 2022
GiteaBot
added
lgtm/done
wxiaoguang
approved these changes
Sep 24, 2022
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Sep 26, 2022
* upstream/main: [skip ci] Updated translations via Crowdin Typo in config-cheat-sheet (go-gitea#21261) Use native inputs in whitespace dropdown (go-gitea#20980) [skip ci] Updated licenses and gitignores Use en-US as fallback when using other default language (go-gitea#21200) Make NuGet service index publicly accessible (go-gitea#21242) Save files in local storage as umask (go-gitea#21198) NPM Package Registry search API endpoint (go-gitea#20280) [skip ci] Updated translations via Crowdin Added search input field to issue filter (go-gitea#20623)
KN4CK3R
added a commit
to KN4CK3R/gitea
that referenced
this pull request
Sep 27, 2022
Addition to go-gitea#20734, Fixes go-gitea#20717 The `/index.json` endpoint needs to be accessible even if the registry is private. The NuGet client uses this endpoint without authentification. The old fix only works if the NuGet cli is used with `--source <name>` but not with `--source <url>/index.json`. Co-authored-by: wxiaoguang <[email protected]>
zeripath
pushed a commit
that referenced
this pull request
Oct 8, 2022
Backport of #21242 Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: 6543 <[email protected]>
tyroneyeh
added a commit
to tyroneyeh/gitea
that referenced
this pull request
Oct 24, 2022
…ea#21277) Backport of go-gitea#21242 Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: 6543 <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addition to #20734
Fixes #20717
The
/index.jsonendpoint needs to be accessible even if the registry is private. The NuGet client uses this endpoint without authentification.The old fix only works if the NuGet cli is used with
--source <name>but not with--source <url>/index.json.