Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/augustoproiete/i-am-root-nuget-package
📦🏴☠️ NuGet package that shows we can run arbitrary code from any NuGet package
https://github.com/augustoproiete/i-am-root-nuget-package
code groot hacktoberfest i-am-root iamroot nuget powershell root security
Last synced: 4 days ago
JSON representation
📦🏴☠️ NuGet package that shows we can run arbitrary code from any NuGet package
- Host: GitHub
- URL: https://github.com/augustoproiete/i-am-root-nuget-package
- Owner: augustoproiete
- License: apache-2.0
- Created: 2019-11-12T01:16:33.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-10-24T18:54:40.000Z (12 days ago)
- Last Synced: 2024-10-25T21:07:20.017Z (11 days ago)
- Topics: code, groot, hacktoberfest, i-am-root, iamroot, nuget, powershell, root, security
- Language: C#
- Homepage:
- Size: 271 KB
- Stars: 25
- Watchers: 2
- Forks: 3
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGES.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
| README.md |
|:---|
IAmRoot NuGet Package
This project demonstrates that any NuGet package can run arbitrary code on your machine.
[](https://www.nuget.org/packages/IAmRoot/) [](http://stackoverflow.com/questions/tagged/nuget)
> TL;DR; Installing NuGet packages **is** (_and have always been_) a security risk, and you should only install packages from trusted sources and trusted authors.
## Background
NuGet used to support PowerShell scripts that could be run manually by developers, or run automatically by NuGet, for example, after packages were installed (`install.ps1`) or uninstalled (`uninstall.ps1`), which was useful for packages that needed to perform an initial setup and clean-up things after, on uninstall.
With [NuGet v3](https://devblogs.microsoft.com/nuget/NuGet-3-What-and-Why/) and [`PackageReference`](https://devblogs.microsoft.com/nuget/NuGet-now-fully-integrated-into-MSBuild/), PowerShell script support was modified to no longer execute install and uninstall scripts, with one of the reasons being that they are [tightly-coupled to Visual Studio, and inheritantly not cross platform](https://twitter.com/terrajobst/status/1168206087402610688).
Microsoft didn't provide any real alternative or migration path from `install.ps1` causing [frustration](https://github.com/NuGet/Home/issues/6330) among developers and in September of 2017 the NuGet team started tracking an issue to [come up with a strategy for packages that have install.ps1/uninstall.ps1](https://github.com/NuGet/Home/issues/5963) which, as of this writing over two years later, didn't seem to have any progress.
In [discussions](https://github.com/NuGet/Home/issues/6330), **many developers seem to have the false sense that installing NuGet packages became a "safe" operation after Microsoft dropped support for executing PowerShell scripts (e.g. `install.ps1`), which is not true**.
> Installing NuGet packages **is** (_and have always been_) a security risk, and you should only install packages from trusted sources and trusted authors.
## How to Run :rocket:
Add the **[IAmRoot](https://www.nuget.org/packages/IAmRoot/)** package from [nuget.org](https://www.nuget.org/packages/IAmRoot/) in any project:
```powershell
> dotnet add package IAmRoot
```
or
```powershell
PM> Install-Package IAmRoot
```
Build the project where the `IAmRoot` NuGet package was installed:
Your default internet browser should open and display the image below:
## Release History
Click on the [Releases](https://github.com/augustoproiete/i-am-root-nuget-package/releases) tab on GitHub.
---
_Copyright © 2019-2023 C. Augusto Proiete & Contributors - Provided under the [Apache License, Version 2.0](LICENSE). Groot logo is a derivative of work by [Vectto](https://www.iconfinder.com/vectto) ([original](https://www.iconfinder.com/icons/2624888/fighting_free_free_groot_super_hero_icon))._