Verify nuspec file size (#7038)

xavierdecoster · web-flow · commit 4d1e4371712f · 2019-04-03T19:20:10.000+02:00
diff --git a/src/NuGetGallery/Services/PackageUploadService.cs b/src/NuGetGallery/Services/PackageUploadService.cs
@@ -100,6 +100,15 @@ public async Task<PackageValidationResult> ValidateBeforeGeneratePackageAsync(Pa
                 return result;
             }
 
+            var nuspecFileEntry = nuGetPackage.GetEntry(nuGetPackage.GetNuspecFile());
+            using (var nuspecFileStream = await nuGetPackage.GetNuspecAsync(CancellationToken.None))
+            {
+                if (!await IsStreamLengthMatchesReportedAsync(nuspecFileStream, nuspecFileEntry.Length))
+                {
+                    return PackageValidationResult.Invalid(Strings.UploadPackage_CorruptNupkg);
+                }
+            }
+
             result = await CheckForUnsignedPushAfterAuthorSignedAsync(
                 nuGetPackage,
                 warnings);
@@ -225,7 +234,7 @@ private async Task<PackageValidationResult> CheckLicenseMetadataAsync(PackageArc
                 {
                     return PackageValidationResult.Invalid(new InvalidUrlEncodingForLicenseUrlValidationMessage());
                 }
-                
+
                 if (licenseMetadata.Type == LicenseType.File)
                 {
                     return PackageValidationResult.Invalid(
diff --git a/tests/NuGetGallery.Core.Facts/TestUtils/TestPackage.cs b/tests/NuGetGallery.Core.Facts/TestUtils/TestPackage.cs
@@ -106,9 +106,9 @@ private static string WriteRepositoryMetadata(RepositoryMetadata repositoryMetad
         {
             return repositoryMetadata == null
                 ? string.Empty
-                : "<repository type=\"" + repositoryMetadata.Type + "\" " + 
-                                "url =\"" + repositoryMetadata.Url + "\" " + 
-                                "commit=\"" + repositoryMetadata.Commit + "\" " + 
+                : "<repository type=\"" + repositoryMetadata.Type + "\" " +
+                                "url =\"" + repositoryMetadata.Url + "\" " +
+                                "commit=\"" + repositoryMetadata.Commit + "\" " +
                                 "branch=\"" + repositoryMetadata.Branch + "\"/>";
         }
 
@@ -120,7 +120,7 @@ private static string WritePackageTypes(IEnumerable<NuGet.Packaging.Core.Package
             }
 
             var output = new StringBuilder();
-            foreach(var packageType in packageTypes)
+            foreach (var packageType in packageTypes)
             {
                 output.Append("<packageType");
                 if (packageType.Name != null)
@@ -233,10 +233,10 @@ public static MemoryStream CreateTestSymbolPackageStream(string id = "theId", st
         {
             var packageTypes = new List<ClientPackageType>();
             packageTypes.Add(new ClientPackageType(name: "SymbolsPackage", version: ClientPackageType.EmptyVersion));
-            return CreateTestPackageStream(id, 
-                version, 
-                packageTypes: packageTypes, 
-                populatePackage: populatePackage, 
+            return CreateTestPackageStream(id,
+                version,
+                packageTypes: packageTypes,
+                populatePackage: populatePackage,
                 isSymbolPackage: true);
         }
 
diff --git a/tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj b/tests/NuGetGallery.Facts/NuGetGallery.Facts.csproj
@@ -92,6 +92,7 @@
     <Compile Include="Helpers\StreamHelperFacts.cs" />
     <Compile Include="Queries\AutocompleteCweIdsQueryFacts.cs" />
     <Compile Include="Services\PackageDeprecationServiceFacts.cs" />
+    <Compile Include="TestData\TestDataResourceUtility.cs" />
     <Compile Include="UsernameValidationRegex.cs" />
     <Compile Include="Extensions\NumberExtensionsFacts.cs" />
     <Compile Include="Extensions\RouteExtensionsFacts.cs" />
@@ -297,6 +298,7 @@
       <SubType>Designer</SubType>
     </None>
     <EmbeddedResource Include="TestData\certificate.cer" />
+    <EmbeddedResource Include="TestData\theId.nuspec" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\..\src\NuGet.Services.Search.Client\NuGet.Services.Search.Client.csproj">
diff --git a/tests/NuGetGallery.Facts/Services/CertificateValidatorFacts.cs b/tests/NuGetGallery.Facts/Services/CertificateValidatorFacts.cs
@@ -183,19 +183,9 @@ public void Validate_WhenStreamIsDerEncodedCertificate_Succeeds(string fileName)
             }
         }
 
-        private byte[] GetResourceBytes(string name)
-        {
-            var resourceName = $"NuGetGallery.TestData.{name}";
-
-            using (var reader = new BinaryReader(GetType().Assembly.GetManifestResourceStream(resourceName)))
-            {
-                return reader.ReadBytes((int)reader.BaseStream.Length);
-            }
-        }
-
         private X509Certificate2 GetCertificate()
         {
-            return new X509Certificate2(GetResourceBytes("certificate.cer"));
+            return new X509Certificate2(TestDataResourceUtility.GetResourceBytes("certificate.cer"));
         }
 
         private MemoryStream GetDerEncodedCertificateStream()
diff --git a/tests/NuGetGallery.Facts/Services/PackageUploadServiceFacts.cs b/tests/NuGetGallery.Facts/Services/PackageUploadServiceFacts.cs
@@ -1,4 +1,4 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -118,7 +118,8 @@ public async Task WillMarkPackageRegistrationVerifiedFlagCorrectly(bool shouldMa
                 var matchingNamepsaces = testNamespaces
                     .Where(rn => prefixes.Any(pr => id.StartsWith(pr, StringComparison.OrdinalIgnoreCase)))
                     .ToList();
-                prefixes.ForEach(p => {
+                prefixes.ForEach(p =>
+                {
                     var existingNamespace = testNamespaces.FirstOrDefault(rn => rn.Value.Equals(p, StringComparison.OrdinalIgnoreCase));
                     existingNamespace.Owners.Add(firstUser);
                 });
@@ -149,7 +150,8 @@ public async Task WillMarkPackageRegistrationNotVerifiedIfIdMatchesNonOwnedShare
                 var testUsers = ReservedNamespaceServiceTestData.GetTestUsers();
                 var firstUser = testUsers.First();
                 var lastUser = testUsers.Last();
-                prefixes.ForEach(p => {
+                prefixes.ForEach(p =>
+                {
                     var existingNamespace = testNamespaces.FirstOrDefault(rn => rn.Value.Equals(p, StringComparison.OrdinalIgnoreCase));
                     existingNamespace.IsSharedNamespace = true;
                     existingNamespace.Owners.Add(firstUser);
@@ -257,7 +259,7 @@ public async Task AcceptsUnsignedPackageAfterUnsignedPackage()
                 });
 
                 var result = await _target.ValidateBeforeGeneratePackageAsync(
-                    _nuGetPackage.Object, 
+                    _nuGetPackage.Object,
                     GetPackageMetadata(_nuGetPackage));
 
                 Assert.Equal(PackageValidationResultType.Accepted, result.Type);
@@ -320,7 +322,7 @@ public async Task AcceptsUnsignedPackagesWithNoPackageRegistration()
                     Times.Once);
             }
 
-            public static IEnumerable<object[]> WarnsOnMalformedRepositoryMetadata_Data = new []
+            public static IEnumerable<object[]> WarnsOnMalformedRepositoryMetadata_Data = new[]
             {
                 new object[] { null, null, null },
                 new object[] { "git", null, null },
@@ -983,7 +985,7 @@ public async Task RejectsLongLicenseNodeValues(string licenseNodeValue)
             }
 
             [Fact]
-            public async Task RejectsNupkgsReportingIncorrectFileLength()
+            public async Task RejectsNupkgsReportingIncorrectFileLengthForLicenseFile()
             {
                 const string licenseFilename = "license.txt";
                 const string licenseFileContents = "abcdefghijklnopqrstuvwxyz";
@@ -994,44 +996,73 @@ public async Task RejectsNupkgsReportingIncorrectFileLength()
                     licenseFilename: licenseFilename,
                     licenseFileContents: licenseFileContents);
 
+                PatchFileSizeInPackageStream(licenseFilename, licenseFileContents, packageStream);
+
+                _nuGetPackage = PackageServiceUtility.CreateNuGetPackage(packageStream);
+
+                // Act
+                var result = await _target.ValidateBeforeGeneratePackageAsync(
+                    _nuGetPackage.Object,
+                    GetPackageMetadata(_nuGetPackage));
+
+                // Assert
+                Assert.Equal(PackageValidationResultType.Invalid, result.Type);
+                Assert.Contains("corrupt", result.Message.PlainTextMessage);
+                Assert.Empty(result.Warnings);
+            }
+
+            [Fact]
+            public async Task RejectsNupkgsReportingIncorrectFileLengthForNuspecFile()
+            {
+                const string nuspecFilename = "theId.nuspec";
+                var nuspecFileContents = TestDataResourceUtility.GetResourceString(nuspecFilename);
+
+                // Arrange
+                var packageStream = GeneratePackageStream();
+
+                PatchFileSizeInPackageStream(nuspecFilename, nuspecFileContents, packageStream);
+
+                _nuGetPackage = PackageServiceUtility.CreateNuGetPackage(packageStream);
+
+                // Act
+                var result = await _target.ValidateBeforeGeneratePackageAsync(
+                    _nuGetPackage.Object,
+                    GetPackageMetadata(_nuGetPackage));
+
+                // Assert
+                Assert.Equal(PackageValidationResultType.Invalid, result.Type);
+                Assert.Contains("corrupt", result.Message.PlainTextMessage);
+                Assert.Empty(result.Warnings);
+            }
+
+            private static void PatchFileSizeInPackageStream(string fileName, string fileContents, MemoryStream packageStream)
+            {
                 var buffer = packageStream.GetBuffer();
 
-                var licenseFilenameBytes = Encoding.ASCII.GetBytes(licenseFilename);
+                var fileNameInBytes = Encoding.ASCII.GetBytes(fileName);
 
                 // the file name should appear twice in the zip stream:
                 // 1. where the compressed stream is saved.
                 // 2. in the central directory
                 // we'll need to patch stream length in both places
 
-                var firstInstanceOffset = FindSequenceIndex(licenseFilenameBytes, buffer);
+                var firstInstanceOffset = FindSequenceIndex(fileNameInBytes, buffer);
                 Assert.True(firstInstanceOffset > 0);
                 var firstSizeOffset = firstInstanceOffset - 8;
                 Assert.True(firstSizeOffset > 0);
                 var firstLength = BitConverter.ToInt32(buffer, firstSizeOffset);
-                Assert.Equal(licenseFileContents.Length, firstLength);
+                Assert.Equal(fileContents.Length, firstLength);
 
-                var secondInstanceOffset = FindSequenceIndex(licenseFilenameBytes, buffer, firstInstanceOffset + licenseFilename.Length);
+                var secondInstanceOffset = FindSequenceIndex(fileNameInBytes, buffer, firstInstanceOffset + fileName.Length);
                 Assert.True(secondInstanceOffset > 0);
                 var secondSizeOffset = secondInstanceOffset - 22;
                 Assert.True(secondSizeOffset > 0);
                 var secondLength = BitConverter.ToInt32(buffer, secondSizeOffset);
-                Assert.Equal(licenseFileContents.Length, secondLength);
+                Assert.Equal(fileContents.Length, secondLength);
 
                 // now that we have offsets, we'll just patch them
                 buffer[firstSizeOffset] = 1;
                 buffer[secondSizeOffset] = 1;
-
-                _nuGetPackage = PackageServiceUtility.CreateNuGetPackage(packageStream);
-
-                // Act
-                var result = await _target.ValidateBeforeGeneratePackageAsync(
-                    _nuGetPackage.Object,
-                    GetPackageMetadata(_nuGetPackage));
-
-                // Assert
-                Assert.Equal(PackageValidationResultType.Invalid, result.Type);
-                Assert.Contains("corrupt", result.Message.PlainTextMessage);
-                Assert.Empty(result.Warnings);
             }
 
             [Theory]
@@ -1418,7 +1449,7 @@ public async Task AcceptNotTyposquattingNotNewVersion()
             public async Task RejectIsTyposquattingNewVersion()
             {
                 _isNewPackageRegistration = true;
-                _typosquattingCheckCollisionIds = new List<string>{ "typosquatting_package_Id" };
+                _typosquattingCheckCollisionIds = new List<string> { "typosquatting_package_Id" };
                 _typosquattingService
                     .Setup(x => x.IsUploadedPackageIdTyposquatting(It.IsAny<string>(), It.IsAny<User>(), out _typosquattingCheckCollisionIds))
                     .Returns(true);
diff --git a/tests/NuGetGallery.Facts/TestData/TestDataResourceUtility.cs b/tests/NuGetGallery.Facts/TestData/TestDataResourceUtility.cs
@@ -0,0 +1,47 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Globalization;
+using System.IO;
+using System.Reflection;
+
+namespace NuGetGallery
+{
+    internal static class TestDataResourceUtility
+    {
+        private static readonly string ResourceNameFormat = "NuGetGallery.TestData.{0}";
+        private static readonly Assembly CurrentAssembly = typeof(TestDataResourceUtility).Assembly;
+
+        internal static byte[] GetResourceBytes(string name)
+        {
+            using (var reader = new BinaryReader(GetManifestResourceStream(name)))
+            {
+                return reader.ReadBytes((int)reader.BaseStream.Length);
+            }
+        }
+
+        internal static string GetResourceString(string name)
+        {
+            using (var resourceStream = GetManifestResourceStream(name))
+            using (var streamReader = new StreamReader(resourceStream))
+            {
+                return streamReader.ReadToEnd();
+            }
+        }
+
+        private static Stream GetManifestResourceStream(string name)
+        {
+            var resourceName = GetResourceName(name);
+
+            return CurrentAssembly.GetManifestResourceStream(resourceName);
+        }
+
+        private static string GetResourceName(string name)
+        {
+            return string.Format(
+                CultureInfo.InvariantCulture,
+                ResourceNameFormat,
+                name);
+        }
+    }
+}
diff --git a/tests/NuGetGallery.Facts/TestData/theId.nuspec b/tests/NuGetGallery.Facts/TestData/theId.nuspec
@@ -0,0 +1,25 @@
+<?xml version="1.0"?>
+                <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
+                    <metadata>
+                        <id>theId</id>
+                        <version>1.2.3-alpha.0</version>
+                        <title>theTitle</title>
+                        <summary>theSummary</summary>
+                        <description>theDescription</description>
+                        <tags>theTags</tags>
+                        <requireLicenseAcceptance>True</requireLicenseAcceptance>
+                        <authors>theFirstAuthor, theSecondAuthor</authors>
+                        <owners>Package owners</owners>
+                        <language></language>
+                        <copyright>theCopyright</copyright>
+                        <releaseNotes>theReleaseNotes</releaseNotes>
+                        <licenseUrl></licenseUrl>
+                        
+                        <projectUrl></projectUrl>
+                        <iconUrl></iconUrl>
+                        <packageTypes><packageType name="dependency" version="1.0.0"/><packageType name="DotNetCliTool" version="2.1.1"/></packageTypes>
+                        <dependencies><group targetFramework="net40"><dependency id="theFirstDependency" version="[1.0.0, 2.0.0)"></dependency><dependency id="theSecondDependency" version="[1.0.0, 1.0.0]"></dependency><dependency id="theThirdDependency" version="(, )"></dependency></group><group targetFramework="net35"><dependency id="theFourthDependency" version="[1.0.0, 1.0.0]"></dependency></group></dependencies>
+                        
+                        
+                    </metadata>
+                </package>

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,15 @@ public async Task<PackageValidationResult> ValidateBeforeGeneratePackageAsync(Pa`
`100`	`100`	`return result;`
`101`	`101`	`}`
`102`	`102`
	`103`	`+ var nuspecFileEntry = nuGetPackage.GetEntry(nuGetPackage.GetNuspecFile());`
	`104`	`+ using (var nuspecFileStream = await nuGetPackage.GetNuspecAsync(CancellationToken.None))`
	`105`	`+ {`
	`106`	`+ if (!await IsStreamLengthMatchesReportedAsync(nuspecFileStream, nuspecFileEntry.Length))`
	`107`	`+ {`
	`108`	`+ return PackageValidationResult.Invalid(Strings.UploadPackage_CorruptNupkg);`
	`109`	`+ }`
	`110`	`+ }`
	`111`	`+`
`103`	`112`	`result = await CheckForUnsignedPushAfterAuthorSignedAsync(`
`104`	`113`	`nuGetPackage,`
`105`	`114`	`warnings);`
`@@ -225,7 +234,7 @@ private async Task<PackageValidationResult> CheckLicenseMetadataAsync(PackageArc`
`225`	`234`	`{`
`226`	`235`	`return PackageValidationResult.Invalid(new InvalidUrlEncodingForLicenseUrlValidationMessage());`
`227`	`236`	`}`
`228`		`-`
	`237`	`+`
`229`	`238`	`if (licenseMetadata.Type == LicenseType.File)`
`230`	`239`	`{`
`231`	`240`	`return PackageValidationResult.Invalid(`
Original file line number	Diff line number	Diff line change
`@@ -106,9 +106,9 @@ private static string WriteRepositoryMetadata(RepositoryMetadata repositoryMetad`
`106`	`106`	`{`
`107`	`107`	`return repositoryMetadata == null`
`108`	`108`	`? string.Empty`
`109`		`- : "<repository type=\"" + repositoryMetadata.Type + "\" " +`
`110`		`- "url =\"" + repositoryMetadata.Url + "\" " +`
`111`		`- "commit=\"" + repositoryMetadata.Commit + "\" " +`
	`109`	`+ : "<repository type=\"" + repositoryMetadata.Type + "\" " +`
	`110`	`+ "url =\"" + repositoryMetadata.Url + "\" " +`
	`111`	`+ "commit=\"" + repositoryMetadata.Commit + "\" " +`
`112`	`112`	`"branch=\"" + repositoryMetadata.Branch + "\"/>";`
`113`	`113`	`}`
`114`	`114`
`@@ -120,7 +120,7 @@ private static string WritePackageTypes(IEnumerable<NuGet.Packaging.Core.Package`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`var output = new StringBuilder();`
`123`		`- foreach(var packageType in packageTypes)`
	`123`	`+ foreach (var packageType in packageTypes)`
`124`	`124`	`{`
`125`	`125`	`output.Append("<packageType");`
`126`	`126`	`if (packageType.Name != null)`
`@@ -233,10 +233,10 @@ public static MemoryStream CreateTestSymbolPackageStream(string id = "theId", st`
`233`	`233`	`{`
`234`	`234`	`var packageTypes = new List<ClientPackageType>();`
`235`	`235`	`packageTypes.Add(new ClientPackageType(name: "SymbolsPackage", version: ClientPackageType.EmptyVersion));`
`236`		`- return CreateTestPackageStream(id,`
`237`		`- version,`
`238`		`- packageTypes: packageTypes,`
`239`		`- populatePackage: populatePackage,`
	`236`	`+ return CreateTestPackageStream(id,`
	`237`	`+ version,`
	`238`	`+ packageTypes: packageTypes,`
	`239`	`+ populatePackage: populatePackage,`
`240`	`240`	`isSymbolPackage: true);`
`241`	`241`	`}`
`242`	`242`
Original file line number	Diff line number	Diff line change
`@@ -183,19 +183,9 @@ public void Validate_WhenStreamIsDerEncodedCertificate_Succeeds(string fileName)`
`183`	`183`	`}`
`184`	`184`	`}`
`185`	`185`
`186`		`- private byte[] GetResourceBytes(string name)`
`187`		`- {`
`188`		`- var resourceName = $"NuGetGallery.TestData.{name}";`
`189`		`-`
`190`		`- using (var reader = new BinaryReader(GetType().Assembly.GetManifestResourceStream(resourceName)))`
`191`		`- {`
`192`		`- return reader.ReadBytes((int)reader.BaseStream.Length);`
`193`		`- }`
`194`		`- }`
`195`		`-`
`196`	`186`	`private X509Certificate2 GetCertificate()`
`197`	`187`	`{`
`198`		`- return new X509Certificate2(GetResourceBytes("certificate.cer"));`
	`188`	`+ return new X509Certificate2(TestDataResourceUtility.GetResourceBytes("certificate.cer"));`
`199`	`189`	`}`
`200`	`190`
`201`	`191`	`private MemoryStream GetDerEncodedCertificateStream()`