Skip to content

Commit 1f130f6

Browse files
zivkanzivkan
authored
Improve nupkg validation in NuGet.Protocol (#7284)
1 parent 5f97df1 commit 1f130f6

39 files changed

Lines changed: 783 additions & 35 deletions

src/NuGet.Core/NuGet.Packaging/PackageExtractor.cs

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -466,6 +466,8 @@ public static async Task<bool> InstallFromSourceAsync(
466466

467467
using (var packageReader = new PackageArchiveReader(nupkgStream))
468468
{
469+
ValidateExpectedPackage(packageIdentity, packageReader);
470+
469471
if (packageSaveMode.HasFlag(PackageSaveMode.Nuspec) || packageSaveMode.HasFlag(PackageSaveMode.Files))
470472
{
471473
telemetry.StartIntervalMeasure();
@@ -588,6 +590,22 @@ await VerifyPackageSignatureAsync(
588590
}
589591
}
590592

593+
private static void ValidateExpectedPackage(PackageIdentity packageIdentity, PackageArchiveReader packageReader)
594+
{
595+
PackageIdentity actualIdentity = packageReader.GetIdentity();
596+
if (!PackageIdentityComparer.Default.Equals(packageIdentity, actualIdentity))
597+
{
598+
string message = string.Format(
599+
CultureInfo.InvariantCulture,
600+
Strings.ErrorPackageIdentityDoesNotMatch,
601+
packageIdentity.Id,
602+
packageIdentity.Version,
603+
actualIdentity.Id,
604+
actualIdentity.Version);
605+
throw new PackagingException(message);
606+
}
607+
}
608+
591609
/// <summary>
592610
/// Delete the target directory path and the temp nupkg path in case of a failed extraction.
593611
/// </summary>
@@ -948,6 +966,7 @@ public static async Task<IEnumerable<string>> CopySatelliteFilesAsync(
948966
{
949967
using (var packageReader = new PackageArchiveReader(nupkgFilePath!))
950968
{
969+
ValidateExpectedPackage(packageIdentity, packageReader);
951970
return await CopySatelliteFilesAsync(
952971
packageReader,
953972
packagePathResolver,

src/NuGet.Core/NuGet.Packaging/Strings.Designer.cs

Lines changed: 10 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/NuGet.Core/NuGet.Packaging/Strings.resx

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -887,4 +887,8 @@ Valid from:</comment>
887887
{2}</value>
888888
<comment>0 is a certificate subject, 1 is a certificate fingerprint, and 2 is a PEM-encoded certificate.</comment>
889889
</data>
890+
<data name="ErrorPackageIdentityDoesNotMatch" xml:space="preserve">
891+
<value>Expected package {0} {1}, but got package {2} {3}</value>
892+
<comment>0 and 2 are package names, and 1 and 3 are versions numbers.</comment>
893+
</data>
890894
</root>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.cs.xlf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,11 @@
183183
<target state="translated">ID balíčku má prázdnou hodnotu nebo hodnotu null.</target>
184184
<note />
185185
</trans-unit>
186+
<trans-unit id="ErrorPackageIdentityDoesNotMatch">
187+
<source>Expected package {0} {1}, but got package {2} {3}</source>
188+
<target state="new">Expected package {0} {1}, but got package {2} {3}</target>
189+
<note>0 and 2 are package names, and 1 and 3 are versions numbers.</note>
190+
</trans-unit>
186191
<trans-unit id="ErrorPackageNotSigned">
187192
<source>The package is not signed.</source>
188193
<target state="translated">Balíček není podepsaný.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.de.xlf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,11 @@
183183
<target state="translated">NULL oder leere Paket-ID.</target>
184184
<note />
185185
</trans-unit>
186+
<trans-unit id="ErrorPackageIdentityDoesNotMatch">
187+
<source>Expected package {0} {1}, but got package {2} {3}</source>
188+
<target state="new">Expected package {0} {1}, but got package {2} {3}</target>
189+
<note>0 and 2 are package names, and 1 and 3 are versions numbers.</note>
190+
</trans-unit>
186191
<trans-unit id="ErrorPackageNotSigned">
187192
<source>The package is not signed.</source>
188193
<target state="translated">Das Paket ist nicht signiert.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.es.xlf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,11 @@
183183
<target state="translated">Id. de paquete vacío o nulo</target>
184184
<note />
185185
</trans-unit>
186+
<trans-unit id="ErrorPackageIdentityDoesNotMatch">
187+
<source>Expected package {0} {1}, but got package {2} {3}</source>
188+
<target state="new">Expected package {0} {1}, but got package {2} {3}</target>
189+
<note>0 and 2 are package names, and 1 and 3 are versions numbers.</note>
190+
</trans-unit>
186191
<trans-unit id="ErrorPackageNotSigned">
187192
<source>The package is not signed.</source>
188193
<target state="translated">El paquete no está firmado.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.fr.xlf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,11 @@
183183
<target state="translated">ID de package null ou vide</target>
184184
<note />
185185
</trans-unit>
186+
<trans-unit id="ErrorPackageIdentityDoesNotMatch">
187+
<source>Expected package {0} {1}, but got package {2} {3}</source>
188+
<target state="new">Expected package {0} {1}, but got package {2} {3}</target>
189+
<note>0 and 2 are package names, and 1 and 3 are versions numbers.</note>
190+
</trans-unit>
186191
<trans-unit id="ErrorPackageNotSigned">
187192
<source>The package is not signed.</source>
188193
<target state="translated">Le package n'est pas signé.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.it.xlf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,11 @@
183183
<target state="translated">ID pacchetto null o vuoto</target>
184184
<note />
185185
</trans-unit>
186+
<trans-unit id="ErrorPackageIdentityDoesNotMatch">
187+
<source>Expected package {0} {1}, but got package {2} {3}</source>
188+
<target state="new">Expected package {0} {1}, but got package {2} {3}</target>
189+
<note>0 and 2 are package names, and 1 and 3 are versions numbers.</note>
190+
</trans-unit>
186191
<trans-unit id="ErrorPackageNotSigned">
187192
<source>The package is not signed.</source>
188193
<target state="translated">Il pacchetto non è firmato.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.ja.xlf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,11 @@
184184
<target state="translated">パッケージ ID が Null または空です</target>
185185
<note />
186186
</trans-unit>
187+
<trans-unit id="ErrorPackageIdentityDoesNotMatch">
188+
<source>Expected package {0} {1}, but got package {2} {3}</source>
189+
<target state="new">Expected package {0} {1}, but got package {2} {3}</target>
190+
<note>0 and 2 are package names, and 1 and 3 are versions numbers.</note>
191+
</trans-unit>
187192
<trans-unit id="ErrorPackageNotSigned">
188193
<source>The package is not signed.</source>
189194
<target state="translated">パッケージが署名されていません。</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.ko.xlf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,11 @@
183183
<target state="translated">패키지 ID가 Null이거나 비어 있습니다.</target>
184184
<note />
185185
</trans-unit>
186+
<trans-unit id="ErrorPackageIdentityDoesNotMatch">
187+
<source>Expected package {0} {1}, but got package {2} {3}</source>
188+
<target state="new">Expected package {0} {1}, but got package {2} {3}</target>
189+
<note>0 and 2 are package names, and 1 and 3 are versions numbers.</note>
190+
</trans-unit>
186191
<trans-unit id="ErrorPackageNotSigned">
187192
<source>The package is not signed.</source>
188193
<target state="translated">패키지가 서명되어 있지 않습니다.</target>

0 commit comments

Comments
 (0)