Skip to content

📦🏴‍☠️ NuGet package that shows we can run arbitrary code from any NuGet package

License

Notifications You must be signed in to change notification settings

augustoproiete/i-am-root-nuget-package

Repository files navigation

README.md
IAmRoot NuGet Package

IAmRoot NuGet Package

This project demonstrates that any NuGet package can run arbitrary code on your machine.

NuGet Version Stack Overflow

TL;DR; Installing NuGet packages is (and have always been) a security risk, and you should only install packages from trusted sources and trusted authors.

Background

NuGet used to support PowerShell scripts that could be run manually by developers, or run automatically by NuGet, for example, after packages were installed (install.ps1) or uninstalled (uninstall.ps1), which was useful for packages that needed to perform an initial setup and clean-up things after, on uninstall.

With NuGet v3 and PackageReference, PowerShell script support was modified to no longer execute install and uninstall scripts, with one of the reasons being that they are tightly-coupled to Visual Studio, and inheritantly not cross platform.

Microsoft didn't provide any real alternative or migration path from install.ps1 causing frustration among developers and in September of 2017 the NuGet team started tracking an issue to come up with a strategy for packages that have install.ps1/uninstall.ps1 which, as of this writing over two years later, didn't seem to have any progress.

In discussions, many developers seem to have the false sense that installing NuGet packages became a "safe" operation after Microsoft dropped support for executing PowerShell scripts (e.g. install.ps1), which is not true.

Installing NuGet packages is (and have always been) a security risk, and you should only install packages from trusted sources and trusted authors.

How to Run 🚀

Add the IAmRoot package from nuget.org in any project:

> dotnet add package IAmRoot

or

PM> Install-Package IAmRoot

Build the project where the IAmRoot NuGet package was installed: Build project screenshot

Your default internet browser should open and display the image below: I Am Root image

Release History

Click on the Releases tab on GitHub.


Copyright © 2019-2023 C. Augusto Proiete & Contributors - Provided under the Apache License, Version 2.0. Groot logo is a derivative of work by Vectto (original).