Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow insecure HTTP connections to 10.0.0.0/8 IP addresses #12942

Closed
colejohnson66 opened this issue Oct 17, 2023 · 4 comments
Closed

Allow insecure HTTP connections to 10.0.0.0/8 IP addresses #12942

colejohnson66 opened this issue Oct 17, 2023 · 4 comments
Labels
Area:Settings NuGet.Config and related issues Triage:NeedsTriageDiscussion Type:DCR Design Change Request

Comments

@colejohnson66
Copy link

colejohnson66 commented Oct 17, 2023

NuGet Product(s) Affected

dotnet.exe

Current Behavior

My company is running a locally managed Gitea instance on our intranet, and is connected to through the (RFC 1918 reserved) 10.0.0.0/8 IP range. On Gitea, we use their built-in support for being a NuGet package repository. This all works great. However, every time the compiler decides to run a "NuGet restore" operation, we get an NU1803 warning about using HTTP sources:

2>project.csproj: Warning NU1803 : You are running the 'restore' operation with an 'HTTP' source, 'http://10.0.0.31/{}/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.

I understand the reasoning for this: "use HTTPS everywhere", but this is not always feasible. And frankly, it's not even necessary for intranets, of which 10.0.0.0/8 is part of.

Using HTTPS with IP addresses is not well-supported, and many certificate providers won't issue one for you, except in certain circumstances. For example, LetsEncrypt flat out won't issue certificates for IP addresses. Some providers will give you one for publicly accessible IPs, but 10.0.0.0/8 is obviously not.

Theoretically, we could use a fake subdomain on our real website (such as git.{}.com), and modify everyone's hosts file to route to our Gitea instance. This would possibly allow our wildcard certificate from the website to be used, but it's clunky as it requires work on every computer.

Desired Behavior

Accesses to HTTP NuGet sources are allowed with no warning, but only for certain IP ranges. Namely, 10.0.0.0/8.

Additional Context

192.168.0.0/16 could also be included as it's the "loopback" address, and, as such, will not even leave the current computer.

@colejohnson66 colejohnson66 added Triage:Untriaged Type:DCR Design Change Request labels Oct 17, 2023
@zivkan
Copy link
Member

zivkan commented Oct 17, 2023

And frankly, it's not even necessary for intranets

I know some people don't buy into Zero Trust Networking, but just today this news article came out:

https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/

Anyway, I'll let our triage team look at this, but my recommendation is to close this request as the allowInsecureConnections feature is a sufficient mitigation. It's not out yet (unless you're willing to use previews), but will be available in NuGet 6.8, .NET 8 SDK, and VS 17.8.

@zivkan zivkan added Area:Settings NuGet.Config and related issues Triage:NeedsTriageDiscussion and removed Triage:Untriaged labels Oct 17, 2023
@colejohnson66
Copy link
Author

colejohnson66 commented Oct 17, 2023

Understandable. That flag would indeed work, but the warning is telling me that such support will eventually go away, and that would break our setup. Even if you decide to deny my request for exclusions, I would urge the team to not break HTTP sources.

@zivkan
Copy link
Member

zivkan commented Oct 19, 2023

A month ago, we published a blog post explaining the new plans for "https everywhere": https://devblogs.microsoft.com/nuget/https-everywhere-update/

The issue with most upvotes regarding the NU1803 warnings also had comments explaining that http is no longer planned to be blocked completely: #12015

@colejohnson66
Copy link
Author

In that case, this issue is a duplicate, I guess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area:Settings NuGet.Config and related issues Triage:NeedsTriageDiscussion Type:DCR Design Change Request
Projects
None yet
Development

No branches or pull requests

2 participants