NuGet Dependency Confusion
ID |
dep_confusion_nuget |
Severity |
high |
Family |
Dependency Confusion |
Description
Dependency Confusion in NuGet occurs when the project has dependencies that either they do not exist in the nuget repository, or they exist but were created after they were added to the solution and the dependencies not provide from private repositories configured in NuGet.Config files. See Enabling package source mapping in NuGet
You can configure the accepted private repositories in the private-repositories parameter.
Security
If the dependency does not exist in the NuGet repository, an attacker can create a public package with the same name and introduce the malicious code in your project.
If the dependency exists in the NuGet repository but was created after, the attack could have been done already, or you may not have control on the package with the same name published by a third party.
Examples
project.assets.json
"MyPrivate.Dep/1.0.0": {
"type": "package",
...
},
You should configure the private repository for this package:
NuGet.Config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
<add key="private-repo.com" value="https://private-repo.com/packages/" />
</packageSources>
<packageSourceMapping>
<!-- key value for <packageSource> should match key values from <packageSources> element -->
<packageSource key="nuget.org">
<package pattern="*" />
</packageSource>
<packageSource key="private-repo.com">
<package pattern="MyPrivate.*" />
</packageSource>
</packageSourceMapping>
</configuration>
Mitigation / Fix
-
Always use an internal 'proxy' private, inner NuGet repository, and avoid public registries altogether. Ensure that all NuGet configurations use this registry, and never a public one (there is a
avoid-public-repostories-nugetrule to enforce this). -
Apply the package source mapping in NuGet to all private dependencies.
|
To apply the package source mapping in NuGet you can visit https://docs.microsoft.com/en-us/nuget/consume-packages/package-source-mapping#enabling-package-source-mapping |