From d795482c1106f00fc440327a2a41c6517481d99b Mon Sep 17 00:00:00 2001
From: Foitn <marijnfeijten@live.nl>
Date: Mon, 29 Sep 2025 18:40:09 +0200
Subject: [PATCH] Normalize package source names when resolving environment
 variable credentials

---
 .../NuGet.Common/EnvironmentVariableWrapper.cs |  9 ++++++++-
 .../EnvironmentVariableWrapperTests.cs         | 18 ++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/NuGet.Core/NuGet.Common/EnvironmentVariableWrapper.cs b/src/NuGet.Core/NuGet.Common/EnvironmentVariableWrapper.cs
index 73c6f457daf..dfd569e8cc1 100644
--- a/src/NuGet.Core/NuGet.Common/EnvironmentVariableWrapper.cs
+++ b/src/NuGet.Core/NuGet.Common/EnvironmentVariableWrapper.cs
@@ -3,6 +3,7 @@
 
 using System;
 using System.Security;
+using System.Text.RegularExpressions;
 
 namespace NuGet.Common
 {
@@ -15,7 +16,7 @@ public class EnvironmentVariableWrapper : IEnvironmentVariableReader
             try
             {
 #pragma warning disable RS0030 // Do not use banned APIs
-                return Environment.GetEnvironmentVariable(variable);
+                return Environment.GetEnvironmentVariable(NormalizeSourceName(variable));
 #pragma warning restore RS0030 // Do not use banned APIs
             }
             catch (SecurityException)
@@ -23,5 +24,11 @@ public class EnvironmentVariableWrapper : IEnvironmentVariableReader
                 return null;
             }
         }
+
+        private static string NormalizeSourceName(string sourceName)
+        {
+            // Replace invalid env var chars with underscore
+            return Regex.Replace(sourceName, @"[^A-Za-z0-9_]", "_");
+        }
     }
 }
diff --git a/test/NuGet.Core.Tests/NuGet.Common.Test/EnvironmentVariableWrapperTests.cs b/test/NuGet.Core.Tests/NuGet.Common.Test/EnvironmentVariableWrapperTests.cs
index bfd12c13fc5..aadf7f2f799 100644
--- a/test/NuGet.Core.Tests/NuGet.Common.Test/EnvironmentVariableWrapperTests.cs
+++ b/test/NuGet.Core.Tests/NuGet.Common.Test/EnvironmentVariableWrapperTests.cs
@@ -41,5 +41,23 @@ public void GetEnvironmentVariable_WhenVariableExists_ReturnsValue()
 
             Assert.Equal(expectedValue, actualValue);
         }
+
+        [Theory]
+        [InlineData("Foo", "Foo")]
+        [InlineData("Foo.Bar", "Foo_Bar")]
+        [InlineData("Foo-Bar", "Foo_Bar")]
+        [InlineData("Foo Bar!", "Foo_Bar_")]
+        [InlineData("^Foo@Bar#", "_Foo_Bar_")]
+        public void GetEnvironmentVariable_WhenVariableIsNotNormalized_NormalizeValue(string sourceName, string normalizedSourceName)
+        {
+            var expectedValue = Guid.NewGuid().ToString();
+            var instance = EnvironmentVariableWrapper.Instance;
+
+            Environment.SetEnvironmentVariable(normalizedSourceName, expectedValue);
+
+            var actualValue = instance.GetEnvironmentVariable(sourceName);
+
+            Assert.Equal(expectedValue, actualValue);
+        }
     }
 }