Merge pull request #10702 from NuGet/main

[ReleasePrep][2026.02.05]FI of main into dev

Author: v-ponkumar

RemovedPackages.md

@@ -91,9 +91,16 @@ Scanning is not perfect. Community partnership is a very valuable part of the ov
 |    Tracer.Fody.NLog   |    12/17/2025    |    Malware                  |
 |    Gp4Framework 0.0.9 |    12/17/2025    |    Potentially Malicious    |
 |    Gp4Framework 0.1.0 |    12/17/2025    |    Potentially Malicious    |
+|    Allegory.Logo.Gateway.HttpApi.Host 0.1.17    |    12/17/2025    |    Potentially Malicious    |
+|    Allegory.Logo.Gateway.HttpApi.Host 0.1.18    |    12/17/2025    |    Potentially Malicious    |
+|    Allegory.Logo.Gateway.HttpApi.Host 0.1.19    |    12/17/2025    |    Potentially Malicious    |
+|    Allegory.Logo.Gateway.HttpApi.Host 0.1.20    |    12/17/2025    |    Potentially Malicious    |
 |    SystemDiagnosticsv324824726 1.0.0   |    01/09/2026    |   Malware  |
 |    SystemDiagnosticsv324824726 1.2.0   |    01/09/2026    |   Malware  |
 |    SystemDiagnosticsV2.5467 1.0.0      |    01/09/2026    |   Malware  |
+|    SolnetWallet.Net.Core               |    01/27/2026    |   Potentially Malicious  |
+|    Z.Dp.All 1.0.1                      |    01/27/2026    |   Malware  |
+|    Z.Dp.All 1.0.2                      |    01/27/2026    |   Malware  |
 
 
 

global.json

@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "8.0.303",
+    "version": "8.0.318",
     "rollForward": "latestFeature",
     "allowPrerelease": false
   }

src/AccountDeleter/Configuration/GalleryConfiguration.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -118,5 +118,7 @@ public string SiteRoot
         public string AdminSenderUser { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
         public string SupportEmailSiteRoot { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
         public int MaxJsonLengthOverride { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
+        public int MaxOwnerPerPackageRegistration { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
+        public int MaxOwnerRequestsPerPackageRegistration { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
     }
 }

src/Bootstrap/package-lock.json

@@ -36,6 +36,8 @@ public static class Utils
 
         private static readonly char[] TagTrimChars = { ',', ' ', '\t', '|', ';' };
 
+        private static readonly char[] Slashes = { '/', '\\' };
+
         public static string[] SplitTags(string original)
         {
             var fields = original
@@ -118,12 +120,13 @@ public static XDocument GetNuspec(ZipArchive package)
 
             foreach (ZipArchiveEntry part in package.Entries)
             {
-                if (part.FullName.EndsWith(".nuspec") && part.FullName.IndexOf('/') == -1)
+                if (part.FullName.EndsWith(".nuspec") && part.FullName.IndexOfAny(Slashes) == -1)
                 {
                     XDocument nuspec = XDocument.Load(part.Open());
                     return nuspec;
                 }
             }
+
             return null;
         }
 

src/Catalog/Helpers/Utils.cs

@@ -417,15 +417,27 @@ public string ExternalBrandingMessage
 
         [DefaultValue(null)]
         public int? MinWorkerThreads { get; set; }
+
         [DefaultValue(null)]
         public int? MaxWorkerThreads { get; set; }
+
         [DefaultValue(null)]
         public int? MinIoThreads { get; set; }
+
         [DefaultValue(null)]
         public int? MaxIoThreads { get; set; }
+
         public string InternalMicrosoftTenantKey { get; set; }
+
         public string AdminSenderUser { get; set; }
+
         [DefaultValue(16 * 1024 * 1024)]
         public int MaxJsonLengthOverride { get; set; }
+
+        [DefaultValue(15)]
+        public int MaxOwnerPerPackageRegistration { get; set; }
+
+        [DefaultValue(3)]
+        public int MaxOwnerRequestsPerPackageRegistration { get; set; }
     }
-}
+}

src/NuGetGallery.Services/Configuration/AppConfiguration.cs

@@ -530,5 +530,15 @@ public interface IAppConfiguration : IMessageServiceConfiguration
         /// select places where large JSON response bodies are possible.
         /// </summary>
         int MaxJsonLengthOverride { get; set; }
+
+        /// <summary>
+        /// The maximum number of owners allowed per package registration. If this limit is reached, no more owners can be added and others must be removed first.
+        /// </summary>
+        int MaxOwnerPerPackageRegistration { get; set; }
+
+        /// <summary>
+        /// The maximum number of owner requests allowed per package registration. If this limit is reached, no more requests can be made and other requests must be removed first.
+        /// </summary>
+        int MaxOwnerRequestsPerPackageRegistration { get; set; }
     }
-}
+}

src/NuGetGallery.Services/Configuration/IAppConfiguration.cs

@@ -1,22 +1,28 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Collections.Generic;
 using System.Data.Entity;
+using System.Globalization;
 using System.Linq;
 using System.Threading.Tasks;
 using NuGet.Services.Entities;
+using NuGetGallery.Configuration;
 
 namespace NuGetGallery
 {
     public class PackageOwnerRequestService : IPackageOwnerRequestService
     {
         private readonly IEntityRepository<PackageOwnerRequest> _packageOwnerRequestRepository;
+        private readonly IAppConfiguration _appConfiguration;
 
-        public PackageOwnerRequestService(IEntityRepository<PackageOwnerRequest> packageOwnerRequestRepository)
+        public PackageOwnerRequestService(
+            IEntityRepository<PackageOwnerRequest> packageOwnerRequestRepository,
+            IAppConfiguration appConfiguration)
         {
             _packageOwnerRequestRepository = packageOwnerRequestRepository ?? throw new ArgumentNullException(nameof(packageOwnerRequestRepository));
+            _appConfiguration = appConfiguration ?? throw new ArgumentNullException(nameof(appConfiguration));
         }
 
         public PackageOwnerRequest GetPackageOwnershipRequest(PackageRegistration package, User newOwner, string token)
@@ -111,10 +117,19 @@ public async Task<PackageOwnerRequest> AddPackageOwnershipRequest(PackageRegistr
                 throw new ArgumentNullException(nameof(newOwner));
             }
 
-            var existingRequest = GetPackageOwnershipRequests(package: package, newOwner: newOwner).FirstOrDefault();
-            if (existingRequest != null)
+            var existingRequests = GetPackageOwnershipRequests(package: package).ToList();
+            var duplicate = existingRequests.FirstOrDefault(x => x.NewOwnerKey == newOwner.Key);
+            if (duplicate is not null)
             {
-                return existingRequest;
+                return duplicate;
+            }
+
+            if (existingRequests.Count >= Math.Max(1, _appConfiguration.MaxOwnerRequestsPerPackageRegistration))
+            {
+                throw new UserSafeException(string.Format(
+                    CultureInfo.CurrentCulture,
+                    ServicesStrings.MaximumPackageOwnerRequestsReached,
+                    _appConfiguration.MaxOwnerRequestsPerPackageRegistration));
             }
 
             var newRequest = new PackageOwnerRequest
@@ -147,4 +162,4 @@ public async Task DeletePackageOwnershipRequest(PackageOwnerRequest request, boo
             }
         }
     }
-}
+}

src/NuGetGallery.Services/PackageManagement/PackageOwnerRequestService.cs

@@ -1,8 +1,9 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Collections.Generic;
+using System.Globalization;
 using System.Linq;
 using System.Threading.Tasks;
 using System.Web;
@@ -47,6 +48,16 @@ public PackageOwnershipManagementService(
 
         public async Task AddPackageOwnerWithMessagesAsync(PackageRegistration packageRegistration, User user)
         {
+            if (packageRegistration == null)
+            {
+                throw new ArgumentNullException(nameof(packageRegistration));
+            }
+
+            if (packageRegistration.Owners.Count >= Math.Max(_appConfiguration.MaxOwnerPerPackageRegistration, 1))
+            {
+                throw new UserSafeException(string.Format(CultureInfo.CurrentCulture, ServicesStrings.MaximumPackageOwnersReached, _appConfiguration.MaxOwnerPerPackageRegistration));
+            }
+
             await AddPackageOwnerAsync(packageRegistration, user, commitChanges: true);
 
             var packageUrl = _urlHelper.Package(packageRegistration.Id, version: null, relativeUrl: false, supportEmail: true);
@@ -418,4 +429,4 @@ private static bool OwnerHasPermissionsToRemoveFromNamespace(User requestingOwne
             return true;
         }
     }
-}
+}

src/NuGetGallery.Services/PackageManagement/PackageOwnershipManagementService.cs

@@ -8,7 +8,6 @@
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
-using System.Web.Helpers;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using NuGet.Frameworks;