Downloading a Nuget package is giving the error “Package contains an entry which is unsafe for extraction” why?
Question
We are running a private nuget repository. Our build server creates nuget packages from a couple of our framework projects and copy these packages into the repository. As of today we are receiving a weird error from nuget when we try to restore some packages.
The package '[package name here]' contains an entry which is unsafe for extraction.
Unfortunately I didn't find anything in google that was able to assist me.
My question is: What in a nuget package is considered being unsafe for extraction? Is there a list of entries, that must not be part of a package?
The package of the current version looks like the package of the previous versions, which still can be retrieved via the nuget manager. Or is this something that came along with the latest visual studio patch for 15.8.2?
** * UPDATE * ** In the meanwhile we found out, that the problem appears in package manager 4.8.0.5385 . In versions 4.7.* everything is working as expected. On nuget.org the latest recommended version of nuget.exe is 4.7.1! Unfortunately one doesn't have the option to opt out from updating the version, because it installed with the latest Visual Studio Patch for 15.8.2
1 answers
solution1
5 2018-09-05 12:48:13
According to the NuGet source code , it looks like this occurs to prevent a ZIP traversal attack (sometimes called 'zip-slip')
Either your NuGet package contains a file that has a name that would cause it to be extracted in a bad location, or there is a bug in the NuGet client's way of determining that. If it's the latter, you would likely need to file a bug to get it fixed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.