Force package metadata URLs to be parsed as absolute URIs (#87)

joelverhagen · joelverhagen · commit 55f68e91da41 · 2019-08-13T09:18:26.000-07:00
See JamesNK/Newtonsoft.Json#2128 for more context. NuGet.Core always parses things as absolute URIs so it's not possible for strings only parsable as relative to it into the system. The weird case is something like `//fileserver/Framework/NuGet/server.png` which is parsable as both relative and absolute. Address NuGet/NuGetGallery#7414
diff --git a/src/NuGet.Server.Core/Infrastructure/JsonNetPackagesSerializer.cs b/src/NuGet.Server.Core/Infrastructure/JsonNetPackagesSerializer.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information. 
 
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -18,7 +19,8 @@ public class JsonNetPackagesSerializer
         private readonly JsonSerializer _serializer = new JsonSerializer
         {
             Formatting = Formatting.None,
-            NullValueHandling = NullValueHandling.Ignore
+            NullValueHandling = NullValueHandling.Ignore,
+            Converters = { new AbsoluteUriConverter() },
         };
 
         public void Serialize(IEnumerable<ServerPackage> packages, Stream stream)
@@ -51,5 +53,54 @@ public IEnumerable<ServerPackage> Deserialize(Stream stream)
                 return packages.Packages;
             }
         }
+
+        /// <summary>
+        /// This is necessary because Newtonsoft.Json creates <see cref="Uri"/> instances with
+        /// <see cref="UriKind.RelativeOrAbsolute"/> which treats UNC paths as relative. NuGet.Core uses
+        /// <see cref="UriKind.Absolute"/> which treats UNC paths as absolute. For more details, see:
+        /// https://github.com/JamesNK/Newtonsoft.Json/issues/2128
+        /// </summary>
+        private class AbsoluteUriConverter : JsonConverter
+        {
+            public override bool CanConvert(Type objectType)
+            {
+                return objectType == typeof(Uri);
+            }
+
+            public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
+            {
+                if (reader.TokenType == JsonToken.Null)
+                {
+                    return null;
+                }
+                else if (reader.TokenType == JsonToken.String)
+                {
+                    return new Uri((string)reader.Value, UriKind.Absolute);
+                }
+
+                throw new JsonSerializationException("The JSON value must be a string.");
+            }
+
+            public override void WriteJson(JsonWriter writer, object value, JsonSerializer serializer)
+            {
+                if (value == null)
+                {
+                    writer.WriteNull();
+                    return;
+                }
+
+                if (!(value is Uri uriValue))
+                {
+                    throw new JsonSerializationException("The value must be a URI.");
+                }
+
+                if (!uriValue.IsAbsoluteUri)
+                {
+                    throw new JsonSerializationException("The URI value must be an absolute Uri. Relative URI instances are not allowed.");
+                }
+
+                writer.WriteValue(uriValue.OriginalString);
+            }
+        }
     }
 }
diff --git a/test/NuGet.Server.Core.Tests/JsonNetPackagesSerializerTests.cs b/test/NuGet.Server.Core.Tests/JsonNetPackagesSerializerTests.cs
@@ -14,6 +14,37 @@ namespace NuGet.Server.Core.Tests
 {
     public class JsonNetPackagesSerializerTests
     {
+        [Fact]
+        public void RoundTripsUncPaths()
+        {
+            var originalPackages = GenerateServerPackages(1);
+            var originalPackage = originalPackages.Single();
+            originalPackage.IconUrl = new Uri("//testunc/test/a", UriKind.Absolute);
+            originalPackage.LicenseUrl = new Uri("//testunc/test/b", UriKind.Absolute);
+            originalPackage.ProjectUrl = new Uri("//testunc/test/c", UriKind.Absolute);
+            originalPackage.ReportAbuseUrl = new Uri("//testunc/test/d", UriKind.Absolute);
+            var serializer = new JsonNetPackagesSerializer();
+
+            // Act
+            var deserializedPackages = new List<ServerPackage>();
+            using (var memoryStream = new MemoryStream())
+            {
+                serializer.Serialize(originalPackages, memoryStream);
+
+                memoryStream.Position = 0;
+
+                deserializedPackages.AddRange(serializer.Deserialize(memoryStream));
+            }
+
+            // Assert
+            AssertPackagesAreEqual(originalPackages, deserializedPackages);
+            var deserializedPackage = deserializedPackages.Single();
+            Assert.True(deserializedPackage.IconUrl.IsAbsoluteUri, "The icon URL should still be absolute.");
+            Assert.True(deserializedPackage.LicenseUrl.IsAbsoluteUri, "The license URL should still be absolute.");
+            Assert.True(deserializedPackage.ProjectUrl.IsAbsoluteUri, "The project URL should still be absolute.");
+            Assert.True(deserializedPackage.ReportAbuseUrl.IsAbsoluteUri, "The report abuse URL should still be absolute.");
+        }
+
         [Fact]
         public void TestSerializationRoundTrip()
         {
@@ -33,14 +64,25 @@ public void TestSerializationRoundTrip()
             }
 
             // Assert
+            AssertPackagesAreEqual(originalPackages, deserializedPackages);
+        }
+
+        private static void AssertPackagesAreEqual(List<ServerPackage> originalPackages, List<ServerPackage> deserializedPackages)
+        {
             Assert.Equal(originalPackages.Count, deserializedPackages.Count);
             for (var i = 0; i < originalPackages.Count; i++)
             {
-                Assert.True(PublicPropertiesEqual(originalPackages[i], deserializedPackages[i], "DependencySets", "FrameworkAssemblies", "PackageAssemblyReferences", "AssemblyReferences"));
+                AssertPublicPropertiesEqual(
+                    originalPackages[i],
+                    deserializedPackages[i],
+                    "DependencySets",
+                    "FrameworkAssemblies",
+                    "PackageAssemblyReferences",
+                    "AssemblyReferences");
             }
         }
 
-        private static bool PublicPropertiesEqual<T>(T a, T b, params string[] ignoreProperties) where T : class
+        private static void AssertPublicPropertiesEqual<T>(T a, T b, params string[] ignoreProperties) where T : class
         {
             if (a != null && b != null)
             {
@@ -55,15 +97,15 @@ private static bool PublicPropertiesEqual<T>(T a, T b, params string[] ignorePro
 
                         if (selfValue != toValue && (selfValue == null || !selfValue.Equals(toValue)) && !(selfValue is IEnumerable))
                         {
-                            return false;
+                            Assert.False(true, $"The property '{pi.Name}' is not equal.");
                         }
                     }
                 }
 
-                return true;
+                return;
             }
 
-            return a == b;
+            Assert.Equal(a, b);
         }
 
         private static List<ServerPackage> GenerateServerPackages(int count)

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,37 @@ namespace NuGet.Server.Core.Tests`
`14`	`14`	`{`
`15`	`15`	`public class JsonNetPackagesSerializerTests`
`16`	`16`	`{`
	`17`	`+ [Fact]`
	`18`	`+ public void RoundTripsUncPaths()`
	`19`	`+ {`
	`20`	`+ var originalPackages = GenerateServerPackages(1);`
	`21`	`+ var originalPackage = originalPackages.Single();`
	`22`	`+ originalPackage.IconUrl = new Uri("//testunc/test/a", UriKind.Absolute);`
	`23`	`+ originalPackage.LicenseUrl = new Uri("//testunc/test/b", UriKind.Absolute);`
	`24`	`+ originalPackage.ProjectUrl = new Uri("//testunc/test/c", UriKind.Absolute);`
	`25`	`+ originalPackage.ReportAbuseUrl = new Uri("//testunc/test/d", UriKind.Absolute);`
	`26`	`+ var serializer = new JsonNetPackagesSerializer();`
	`27`	`+`
	`28`	`+ // Act`
	`29`	`+ var deserializedPackages = new List<ServerPackage>();`
	`30`	`+ using (var memoryStream = new MemoryStream())`
	`31`	`+ {`
	`32`	`+ serializer.Serialize(originalPackages, memoryStream);`
	`33`	`+`
	`34`	`+ memoryStream.Position = 0;`
	`35`	`+`
	`36`	`+ deserializedPackages.AddRange(serializer.Deserialize(memoryStream));`
	`37`	`+ }`
	`38`	`+`
	`39`	`+ // Assert`
	`40`	`+ AssertPackagesAreEqual(originalPackages, deserializedPackages);`
	`41`	`+ var deserializedPackage = deserializedPackages.Single();`
	`42`	`+ Assert.True(deserializedPackage.IconUrl.IsAbsoluteUri, "The icon URL should still be absolute.");`
	`43`	`+ Assert.True(deserializedPackage.LicenseUrl.IsAbsoluteUri, "The license URL should still be absolute.");`
	`44`	`+ Assert.True(deserializedPackage.ProjectUrl.IsAbsoluteUri, "The project URL should still be absolute.");`
	`45`	`+ Assert.True(deserializedPackage.ReportAbuseUrl.IsAbsoluteUri, "The report abuse URL should still be absolute.");`
	`46`	`+ }`
	`47`	`+`
`17`	`48`	`[Fact]`
`18`	`49`	`public void TestSerializationRoundTrip()`
`19`	`50`	`{`
`@@ -33,14 +64,25 @@ public void TestSerializationRoundTrip()`
`33`	`64`	`}`
`34`	`65`
`35`	`66`	`// Assert`
	`67`	`+ AssertPackagesAreEqual(originalPackages, deserializedPackages);`
	`68`	`+ }`
	`69`	`+`
	`70`	`+ private static void AssertPackagesAreEqual(List<ServerPackage> originalPackages, List<ServerPackage> deserializedPackages)`
	`71`	`+ {`
`36`	`72`	`Assert.Equal(originalPackages.Count, deserializedPackages.Count);`
`37`	`73`	`for (var i = 0; i < originalPackages.Count; i++)`
`38`	`74`	`{`
`39`		`- Assert.True(PublicPropertiesEqual(originalPackages[i], deserializedPackages[i], "DependencySets", "FrameworkAssemblies", "PackageAssemblyReferences", "AssemblyReferences"));`
	`75`	`+ AssertPublicPropertiesEqual(`
	`76`	`+ originalPackages[i],`
	`77`	`+ deserializedPackages[i],`
	`78`	`+ "DependencySets",`
	`79`	`+ "FrameworkAssemblies",`
	`80`	`+ "PackageAssemblyReferences",`
	`81`	`+ "AssemblyReferences");`
`40`	`82`	`}`
`41`	`83`	`}`
`42`	`84`
`43`		`- private static bool PublicPropertiesEqual<T>(T a, T b, params string[] ignoreProperties) where T : class`
	`85`	`+ private static void AssertPublicPropertiesEqual<T>(T a, T b, params string[] ignoreProperties) where T : class`
`44`	`86`	`{`
`45`	`87`	`if (a != null && b != null)`
`46`	`88`	`{`
`@@ -55,15 +97,15 @@ private static bool PublicPropertiesEqual<T>(T a, T b, params string[] ignorePro`
`55`	`97`
`56`	`98`	`if (selfValue != toValue && (selfValue == null \|\| !selfValue.Equals(toValue)) && !(selfValue is IEnumerable))`
`57`	`99`	`{`
`58`		`- return false;`
	`100`	`+ Assert.False(true, $"The property '{pi.Name}' is not equal.");`
`59`	`101`	`}`
`60`	`102`	`}`
`61`	`103`	`}`
`62`	`104`
`63`		`- return true;`
	`105`	`+ return;`
`64`	`106`	`}`
`65`	`107`
`66`		`- return a == b;`
	`108`	`+ Assert.Equal(a, b);`
`67`	`109`	`}`
`68`	`110`
`69`	`111`	`private static List<ServerPackage> GenerateServerPackages(int count)`