Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make NuGet service index publicly accessible #21242

Merged
merged 7 commits into from
Sep 24, 2022

Conversation

KN4CK3R
Copy link
Member

@KN4CK3R KN4CK3R commented Sep 22, 2022

Addition to #20734
Fixes #20717

The /index.json endpoint needs to be accessible even if the registry is private. The NuGet client uses this endpoint without authentification.

The old fix only works if the NuGet cli is used with --source <name> but not with --source <url>/index.json.

@KN4CK3R KN4CK3R added this to the 1.18.0 milestone Sep 22, 2022
@silverwind silverwind added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Sep 22, 2022
@silverwind
Copy link
Member

silverwind commented Sep 22, 2022

So, unauthenticated clients can enumerate NuGet package names? Anything else exposed?

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Sep 22, 2022
@KN4CK3R
Copy link
Member Author

KN4CK3R commented Sep 23, 2022

So, unauthenticated clients can enumerate NuGet package names? Anything else exposed?

No, that would be really bad. The service index exposes the capabilities and endpoints of the NuGet registry. All other requests are authenticated.
The response looks like this:

{
  "version": "3.0.0",
  "resources": [
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
      "@type": "SearchQueryService"
    },
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
      "@type": "SearchQueryService/3.0.0-beta"
    },
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
      "@type": "SearchQueryService/3.0.0-rc"
    },
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
      "@type": "RegistrationsBaseUrl"
    },
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
      "@type": "RegistrationsBaseUrl/3.0.0-beta"
    },
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
      "@type": "RegistrationsBaseUrl/3.0.0-rc"
    },
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/package",
      "@type": "PackageBaseAddress/3.0.0"
    },
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget",
      "@type": "PackagePublish/2.0.0"
    },
    {
      "@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/symbolpackage",
      "@type": "SymbolPackagePublish/4.9.0"
    }
  ]
}

Copy link
Member

@silverwind silverwind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A test would be nice.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Sep 23, 2022
@KN4CK3R
Copy link
Member Author

KN4CK3R commented Sep 23, 2022

I already adjusted an existing test for a normal and a private user.

r.Delete("/{id}/{version}", nuget.DeletePackage)
}, reqPackageAccess(perm.AccessModeWrite))
r.Get("/symbols/{filename}/{guid:[0-9a-f]{32}}FFFFFFFF/{filename2}", nuget.DownloadSymbolFile)
r.Get("/query", nuget.SearchService)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, while I think it needs more comments about why there is no permission check for it.

And, maybe someone will worry about "attackers can detect private user names" again, while I think it's acceptable and that's cost of using NuGet package registry.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And, maybe someone will worry about "attackers can detect private user names" again, while I think it's acceptable and that's cost of using NuGet package registry.

You can detect that with the /users/{user} api too, so I see no difference.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, so LGTM 😁

Copy link
Member Author

@KN4CK3R KN4CK3R Sep 24, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's a definition problem of private. Private like "there is a locked door I know something is behind" or private like "which door?".

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Sep 24, 2022
@wxiaoguang wxiaoguang merged commit 0c8ce71 into go-gitea:main Sep 24, 2022
@KN4CK3R KN4CK3R deleted the fix-20717-2 branch September 24, 2022 15:25
zjjhot added a commit to zjjhot/gitea that referenced this pull request Sep 26, 2022
* upstream/main:
  [skip ci] Updated translations via Crowdin
  Typo in config-cheat-sheet (go-gitea#21261)
  Use native inputs in whitespace dropdown (go-gitea#20980)
  [skip ci] Updated licenses and gitignores
  Use en-US as fallback when using other default language (go-gitea#21200)
  Make NuGet service index publicly accessible (go-gitea#21242)
  Save files in local storage as umask (go-gitea#21198)
  NPM Package Registry search API endpoint (go-gitea#20280)
  [skip ci] Updated translations via Crowdin
  Added search input field to issue filter (go-gitea#20623)
KN4CK3R added a commit to KN4CK3R/gitea that referenced this pull request Sep 27, 2022
Addition to go-gitea#20734, Fixes go-gitea#20717

The `/index.json` endpoint needs to be accessible even if the registry
is private. The NuGet client uses this endpoint without
authentification.

The old fix only works if the NuGet cli is used with `--source <name>`
but not with `--source <url>/index.json`.

Co-authored-by: wxiaoguang <[email protected]>
zeripath pushed a commit that referenced this pull request Oct 8, 2022
@6543 6543 added the backport/done All backports for this PR have been created label Oct 15, 2022
tyroneyeh added a commit to tyroneyeh/gitea that referenced this pull request Oct 24, 2022
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/packages topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

NuGet push returns 401 (Unauthorized) when using --api-key
5 participants