Discover plugins installed using Net tools #5990
Conversation
dotnet-policy-service
bot
added
the
Status:No recent activity
|
This PR has been automatically marked as stale because it has no activity for 7 days. It will be closed if no further activity occurs within another 7 days of this comment. If it is closed, you may reopen it anytime when you're ready again, as long as you don't delete the branch. |
Nigusu-Allehu
removed
the
Status:No recent activity
…uGet/NuGet.Client into dev-nyenework-net-tools-plugin
Nigusu-Allehu
changed the title
test/NuGet.Core.Tests/NuGet.Protocol.Tests/Plugins/PluginDiscovererTests.cs
Outdated
Show resolved
Hide resolved
| { | ||
| if (IsValidPluginFile(file)) | ||
| { | ||
| var state = new Lazy<PluginFileState>(() => _verifier.IsValid(file.FullName) ? PluginFileState.Valid : PluginFileState.InvalidEmbeddedSignature); |
There was a problem hiding this comment.
.NET SDK recently enabled package signature verification for .NET tools. Hence, I think we can skip the _verifier.IsValid check because .NET tools are published as NuGet packages, which can be signed by the package author.
There was a problem hiding this comment.
Is the suggestion to not check the validity of the package and just assume it is valid?
There was a problem hiding this comment.
Yes, that is correct.
There was a problem hiding this comment.
From my understanding, isValid checks whether the file has a valid embedded signature or not. Even though we do expect the files that come from .Net tools to have a valid signature. Isn't possible some file that was not installed by .Net tools exists in the path and it does not have a valid signature. Or it could be a .Net tools package that has been tempered with and does not have a valid signature anymore.
There was a problem hiding this comment.
The "embedded signature" is an authenticode signature, which is not related to signed packages.
It typically costs hundreds of dollars a year to buy a code signing certificate, putting it out of reach for most non-corporate NuGet plugin developers. Even when a developer does have a certificate available for the production code, it's typically not available during development and debugging. I hit this today while trying to develop a new plugin, and I had to hardcode Valid state just to be able to develop the plugin.
At the very least we should add an environment variable to allow skipping the authenticode checks, so that plugin developers can actually develop. However, I'm in favour of removing the authenticode checks altogether. If someone wants to allow only signed executables to run on a Windows machine, they can configure it via group policy.
| string[] paths = Array.Empty<string>(); | ||
|
|
||
| // The path to the plugins installed using dotnet tools, should be specified in the NUGET_PLUGIN_PATHS environment variable. | ||
| paths = _environmentVariableReader.GetEnvironmentVariable("NUGET_PLUGIN_PATHS")?.Split(Path.PathSeparator) ?? Array.Empty<string>(); |
There was a problem hiding this comment.
If the NUGET_PLUGIN_PATHS environment variable is already set, the _rawpluginpaths parameter passed to the constructor will contain a list of paths to plugin executables that are installed as .NET tools going forward.
NuGet.Client/src/NuGet.Core/NuGet.Protocol/Plugins/PluginManager.cs
Lines 320 to 323 in fef6562
I think we should remove the logic in PluginManager for discovering .NET tool plugins because they have different verification logic. For example, the file name should start with nuget-plugin-*, the executable bit should be set for non-Windows platforms, and the file should have a .exe or .bat extension on Windows.
There was a problem hiding this comment.
I removed it and now the logic is
- If
NUGET_NETFX_PLUGIN_PATHSorNUGET_NETCORE_PLUGIN_PATHSare set, use them. - Otherwise if
NUGET_PLUGIN_PATHSis set, assume it is pointing to the directory that contains the dotnet tools installed plugins. If none of the env variables are set, go a head and scan for the plugins from the directories listed in PATH.
This limits NUGET_PLUGIN_PATHS to be used for .NET tools plugins only. Would that not be a problem for users who use it for non .NET tools plugins previously?
| (fileMode & UnixFileMode.GroupExecute) != 0 || | ||
| (fileMode & UnixFileMode.OtherExecute) != 0); | ||
| #else | ||
| return fileInfo.Exists && (fileInfo.Attributes & FileAttributes.ReparsePoint) == 0 && IsExecutable(fileInfo); |
There was a problem hiding this comment.
Please help me understand the reasoning behind the (fileInfo.Attributes & FileAttributes.ReparsePoint == 0) check. My internet search suggested it is related to symbolic links, etc., but I happy to learn more.
There was a problem hiding this comment.
You're right. I wanted to ensure the file both exists and is a real file (not a symbolic link) to minimize the risk of running malicious code. For example, imagine a symbolic link located in one of the directories listed in the user's PATH environment variable. The link has a name like nuget-plugin-*, making it appear like a normal plugin, but it actually points to a malicious file in a different directory. If we run that symlink, we unintentionally execute the malicious file from the other location. We could say it is up to the user to ensure there is no malicious files in the PATH folders. However, I don't see a reason why we should leave that vulnerability open.
| if (string.IsNullOrEmpty(_rawPluginPaths)) | ||
| { | ||
| // Nuget plugin configuration environmental variables were not used to discover the configuration files | ||
| _pluginFiles.AddRange(GetNetToolsPluginFiles()); |
There was a problem hiding this comment.
The XMLdoc for rawPluginPaths says:
The raw semicolon-delimited list of supposed plugin file paths
But I don't understand when the value will be null or not null, or where the value comes from, and therefore I'm having a hard time understanding why we look for .NET tool plugins only when it's empty.
Is rawPluginPaths the value of the NUGET_PLUGIN_PATHS or NUGET_NETFX_PLUGIN_PATHS environment variables when they're set?
| _pluginFiles = GetPluginFiles(cancellationToken); | ||
|
|
||
| if (string.IsNullOrEmpty(_rawPluginPaths)) | ||
| { | ||
| // Nuget plugin configuration environmental variables were not used to discover the configuration files | ||
| _pluginFiles.AddRange(GetNetToolsPluginFiles()); |
There was a problem hiding this comment.
Today, I've been trying to create a cred provider. I used the nuget-plugin-*.exe file convention, but setting NUGET_NETFX_PLUGIN_PATHS or NUGET_PLUGIN_PATHS to the bin directory of my project, or setting it to the full path of the exe itself, I couldn't get NuGet to use my plugin, without adding the project's bin directory to the path (and using your test branch for this feature that does execution, in addition to discovery). However, when doing this, it also discovered other cred providers I have installed, which was making debuggign my plugin much more difficult.
It can be done in a follow up, but I think there should be a way to disable normal plugin discovery, and only discover plugins I want. The NUGET_PLUGIN_PATHS environment variable appears to do that for the older discovery method, so there should be a way for this new one as well.
| { | ||
| if (IsValidPluginFile(file)) | ||
| { | ||
| var state = new Lazy<PluginFileState>(() => _verifier.IsValid(file.FullName) ? PluginFileState.Valid : PluginFileState.InvalidEmbeddedSignature); |
There was a problem hiding this comment.
The "embedded signature" is an authenticode signature, which is not related to signed packages.
It typically costs hundreds of dollars a year to buy a code signing certificate, putting it out of reach for most non-corporate NuGet plugin developers. Even when a developer does have a certificate available for the production code, it's typically not available during development and debugging. I hit this today while trying to develop a new plugin, and I had to hardcode Valid state just to be able to develop the plugin.
At the very least we should add an environment variable to allow skipping the authenticode checks, so that plugin developers can actually develop. However, I'm in favour of removing the authenticode checks altogether. If someone wants to allow only signed executables to run on a Windows machine, they can configure it via group policy.
nkolev92
added
the
Merge next release
Bug
Fixes: NuGet/Home#13740
Description
This PR makes sure NuGet discovers credential providers installed using .NET tools.
dotnet tool install --global should install the tool and add its path to the PATH environmental varibale. Iterate through all the paths in PATH and all the files in the path to find the plugins. By design, we expect these plugins to be named nuget-plugin*.
PR Checklist