diff --git a/docs/core/tools/dotnet-tool-install.md b/docs/core/tools/dotnet-tool-install.md index 7aba847853310..d8ea2002dba2d 100644 --- a/docs/core/tools/dotnet-tool-install.md +++ b/docs/core/tools/dotnet-tool-install.md @@ -50,6 +50,9 @@ The `dotnet tool install` command provides a way for you to install .NET tools o * To install a global tool in a custom location, use the `--tool-path` option. * To install a local tool, omit the `--global` and `--tool-path` options. +> [!WARNING] +> Make sure the directory you specify with the `--tool-path` option is secure. Tools installed in this location can be executed directly, so using an untrusted or shared path might introduce security risks. + ## Installation locations ### Global tools @@ -121,6 +124,11 @@ For more information, see [Install a local tool](global-tools.md#install-a-local For more information on how manifests are located, see [Install a local tool](global-tools.md#install-a-local-tool). + Starting in .NET 10, this flag is applied automatically if no tools manifest is found. + + > [!WARNING] + > Don't run tool commands from the **Downloads** folder or any shared location. The CLI walks up the directory tree to find a tool manifest, which might cause it to use a manifest you don't expect. Always run tool commands from a trusted, project-specific directory. + - **`--disable-parallel`** Prevent restoring multiple projects in parallel. diff --git a/docs/core/tools/global-tools-how-to-create.md b/docs/core/tools/global-tools-how-to-create.md index e1f69e8e8e623..5b01fc341b93e 100644 --- a/docs/core/tools/global-tools-how-to-create.md +++ b/docs/core/tools/global-tools-how-to-create.md @@ -177,6 +177,9 @@ Before you can pack and distribute the application as a tool, you need to modify `` is an optional element that specifies the command that will invoke the tool after it's installed. If this element isn't provided, the command name for the tool is the assembly name, which is typically the project file name without the *.csproj* extension. + > [!NOTE] + > Choose a unique value for ``. Avoid using file extensions (like `.exe` or `.cmd`) because the tool is installed as an app host and the command should not include an extension. This helps prevent conflicts with existing commands and ensures a smooth installation experience. + `` is an optional element that determines where the NuGet package will be produced. The NuGet package is what the .NET CLI uses to install your tool. The project file now looks like the following example: diff --git a/docs/core/tools/global-tools.md b/docs/core/tools/global-tools.md index 611a54c1195bb..1fdcfafa9989d 100644 --- a/docs/core/tools/global-tools.md +++ b/docs/core/tools/global-tools.md @@ -108,6 +108,9 @@ dotnet new tool-manifest This command creates a manifest file named *dotnet-tools.json* under the *.config* directory. To add a local tool to the manifest file, use the [dotnet tool install](dotnet-tool-install.md) command and **omit** the `--global` and `--tool-path` options, as shown in the following example: +> [!WARNING] +> Make sure the tool manifest file is stored in a controlled location. The .NET CLI launches local tools with `dotnet tool run` based on the contents of the tool manifest. If the manifest is modified by an untrusted party, it could cause the CLI to run malicious code. + ```dotnetcli dotnet tool install dotnetsay ```