-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make NuGet service index publicly accessible #21242
Conversation
So, unauthenticated clients can enumerate NuGet package names? Anything else exposed? |
No, that would be really bad. The service index exposes the capabilities and endpoints of the NuGet registry. All other requests are authenticated. {
"version": "3.0.0",
"resources": [
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
"@type": "SearchQueryService"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
"@type": "SearchQueryService/3.0.0-beta"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/query",
"@type": "SearchQueryService/3.0.0-rc"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
"@type": "RegistrationsBaseUrl"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
"@type": "RegistrationsBaseUrl/3.0.0-beta"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/registration",
"@type": "RegistrationsBaseUrl/3.0.0-rc"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/package",
"@type": "PackageBaseAddress/3.0.0"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget",
"@type": "PackagePublish/2.0.0"
},
{
"@id": "http://host.docker.internal:3000/api/packages/KN4CK3R/nuget/symbolpackage",
"@type": "SymbolPackagePublish/4.9.0"
}
]
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A test would be nice.
I already adjusted an existing test for a normal and a private user. |
r.Delete("/{id}/{version}", nuget.DeletePackage) | ||
}, reqPackageAccess(perm.AccessModeWrite)) | ||
r.Get("/symbols/{filename}/{guid:[0-9a-f]{32}}FFFFFFFF/{filename2}", nuget.DownloadSymbolFile) | ||
r.Get("/query", nuget.SearchService) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, while I think it needs more comments about why there is no permission check for it.
And, maybe someone will worry about "attackers can detect private user names" again, while I think it's acceptable and that's cost of using NuGet package registry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And, maybe someone will worry about "attackers can detect private user names" again, while I think it's acceptable and that's cost of using NuGet package registry.
You can detect that with the /users/{user}
api too, so I see no difference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, so LGTM 😁
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's a definition problem of private. Private like "there is a locked door I know something is behind" or private like "which door?".
* upstream/main: [skip ci] Updated translations via Crowdin Typo in config-cheat-sheet (go-gitea#21261) Use native inputs in whitespace dropdown (go-gitea#20980) [skip ci] Updated licenses and gitignores Use en-US as fallback when using other default language (go-gitea#21200) Make NuGet service index publicly accessible (go-gitea#21242) Save files in local storage as umask (go-gitea#21198) NPM Package Registry search API endpoint (go-gitea#20280) [skip ci] Updated translations via Crowdin Added search input field to issue filter (go-gitea#20623)
Addition to go-gitea#20734, Fixes go-gitea#20717 The `/index.json` endpoint needs to be accessible even if the registry is private. The NuGet client uses this endpoint without authentification. The old fix only works if the NuGet cli is used with `--source <name>` but not with `--source <url>/index.json`. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
…ea#21277) Backport of go-gitea#21242 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: 6543 <6543@obermui.de>
Addition to #20734
Fixes #20717
The
/index.json
endpoint needs to be accessible even if the registry is private. The NuGet client uses this endpoint without authentification.The old fix only works if the NuGet cli is used with
--source <name>
but not with--source <url>/index.json
.