What security restrictions are placed on Powershell scripts run during a NuGet package install/init?

When you install a package from NuGet, it ca开发者_StackOverflow中文版n run some Powershell scripts to set things up (such as exporting commands to be used in the Package Manager console).

I'm trying (and failing) to find details of what these scripts can/can't do. Specifically - should we be worried about malicious code in these? Can they read the filesystem, send web requests, etc.?

When NuGet sets up the PowerShell host, it checks to see what the current ExecutionPolicy is. If it is not Unrestricted, RemoteSigned, or Bypass, it forces the ExcecutionPolicy to RemoteSigned for the current process (devenv.exe).

PowerShell does not see the embedded scripts init.ps1, install.ps1, etc. as being downloaded from the Internet, so there is nothing preventing a malicious script from doing anything on your machine that your account has permissions to do.

At this point, all NuGet package creators are pretty much on the "honor" system. I believe Ruby Gems have a similar situtation.

NuGet does have the ability to use private package sources, so if security is critical, I suggest you download and vet all packages, and only allow installing packages from these trusted sources.

I'll defer to someone from the NuGet team, but I'm almost certain they run under the current execution policy.

Here's a clip from my own nuget console:

PM> Get-ExecutionPolicy
RemoteSigned

If I open PowerShell as an admin and change the execution policy, nuget reports the change:

PM> Get-ExecutionPolicy
Restricted

In sum, whatever execution policy you've got on your default host also applies to the nuget console.

When you download a script from the internet, unless it is installed with a setup program where you have given it escalated permissions to install, the scripts are marked as blocked. You have to authorize (unblock) them by right clicking on the scripts and choosing the button Unblock.