Nuget Package Upload Security

TL;DR

Uploading packages to Nuget can be risky if not done correctly. This guide shows you how to check for common vulnerabilities and improve your security.

Checking for Nuget Package Upload Vulnerabilities

1. Understand the Risks
• Typosquatting: Attackers upload packages with names similar to popular ones, hoping users make a mistake.
• Package Confusion: Internal package sources can be accidentally prioritised over public Nuget if configurations are wrong.
• Compromised Accounts: An attacker gaining control of your Nuget account could publish malicious packages.
• Malicious Packages: Packages containing harmful code.
2. Verify Package Source

Always confirm the package source before installing. Check the author and repository URL on the Nuget website.

3. Check for Package Signing
• Packages should be signed by a trusted publisher. Look for the verified badge on the Nuget page.
• Use tools to verify signatures locally:

dotnet nuget list --allversions 

4. Review Package Dependencies
• Examine the dependencies of any package you install. Unexpected or unknown dependencies are a red flag.
• Use dependency analysis tools (see Step 8).
5. Implement NuGet Configuration Best Practices
• Package Source Order: Ensure your public Nuget feed is prioritised over any internal feeds unless specifically intended. Check your nuget.config file. Example:

<packageSources>
  <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  <add key="MyInternalFeed" value="http://internalfeedurl" protocolVersion="3" />
</packageSources>

• API Key Security: Store your Nuget API keys securely (e.g., using environment variables or a secrets manager). Never commit them to source control!
6. Enable Two-Factor Authentication (2FA)

Protect your Nuget account with 2FA for an extra layer of security.

7. Regularly Audit Your Published Packages
• Review the packages you’ve published to ensure they haven’t been tampered with.
• Monitor for unusual activity on your Nuget account.
8. Use Dependency Analysis Tools

Tools like Snyk or Sonatype Nexus Lifecycle can automatically scan your dependencies for known vulnerabilities.

9. Consider a Private Nuget Feed

For internal packages, using a private feed (e.g., Azure Artifacts, Artifactory) gives you more control and security.