Upgraded parsing (#10564)

Lanaparezanin · web-flow · commit d4a488ba49be · 2025-10-07T14:50:05.000-07:00
diff --git a/src/NuGetGallery/Infrastructure/CookieTempDataProvider.cs b/src/NuGetGallery/Infrastructure/CookieTempDataProvider.cs
@@ -1,12 +1,15 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
 using System.Collections.Generic;
 using System.Globalization;
 using System.Net;
+using System.Text;
 using System.Web;
 using System.Web.Mvc;
+using System.Web.Security;
+using Newtonsoft.Json;
 
 namespace NuGetGallery
 {
@@ -71,52 +74,49 @@ protected virtual IDictionary<string, object> LoadTempData(ControllerContext con
                 return dictionary;
             }
 
-            foreach (var key in cookie.Values.AllKeys)
+            try
             {
-                // As the index setter on HttpCookie does not guard against null keys,
-                // we should guard against ArgumentNullException on Dictionary.Insert
-                // when key == null.
-                if (key == null)
+                // Unprotect (decrypt/verify) the cookie value
+                byte[] unprotectedBytes = MachineKey.Unprotect(
+                    Convert.FromBase64String(cookie.Value), TempDataCookieKey);
+                string json = Encoding.UTF8.GetString(unprotectedBytes);
+
+                // Deserialize back to dictionary
+                var deserialized = JsonConvert.DeserializeObject<Dictionary<string, object>>(json);
+                if (deserialized != null)
                 {
-                    continue;
+                    foreach (var kvp in deserialized)
+                        dictionary[kvp.Key] = kvp.Value;
                 }
-
-                dictionary[key] = HttpUtility.UrlDecode(cookie[key]);
+            }
+            catch
+            {
+                //silently ignore incorrect cookie values
             }
 
             cookie.Expires = DateTime.MinValue;
             cookie.Value = String.Empty;
-            if (CookieHasTempData)
-            {
-                cookie.Expires = DateTime.MinValue;
-                cookie.Value = String.Empty;
-            }
             return dictionary;
         }
 
         protected virtual void SaveTempData(ControllerContext controllerContext, IDictionary<string, object> values)
         {
             if (values.Count > 0)
             {
-                var cookie = new HttpCookie(TempDataCookieKey);
-                cookie.HttpOnly = true;
-                cookie.Secure = true;
-                foreach (var item in values)
+                // Serialize dictionary to JSON
+                string json = JsonConvert.SerializeObject(values);
+
+                // Protect (encrypt/sign) the JSON
+                string protectedJson = Convert.ToBase64String(
+                MachineKey.Protect(Encoding.UTF8.GetBytes(json), TempDataCookieKey));
+
+                var cookie = new HttpCookie(TempDataCookieKey, protectedJson)
                 {
-                    // As the index setter on HttpCookie does not guard against null keys,
-                    // we should guard against ArgumentNullException on Dictionary.Insert
-                    // when key == null.
-                    if (item.Key == null)
-                    {
-                        continue;
-                    }
-
-                    cookie[item.Key] = HttpUtility.UrlEncode(Convert.ToString(item.Value, CultureInfo.InvariantCulture));
-                }
+                    HttpOnly = true,
+                    Secure = true
+                };
                 _httpContext.Response.Cookies.Add(cookie);
             }
         }
-
-        // Properties
     }
-}
+}
diff --git a/tests/NuGetGallery.Facts/Infrastructure/CookieTempDataProviderFacts.cs b/tests/NuGetGallery.Facts/Infrastructure/CookieTempDataProviderFacts.cs
@@ -1,10 +1,13 @@
-﻿// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 using System;
 using System.Collections.Generic;
+using System.Text;
 using System.Web;
 using System.Web.Mvc;
+using System.Web.Security;
 using Moq;
+using Newtonsoft.Json;
 using Xunit;
 
 namespace NuGetGallery.Infrastructure
@@ -17,46 +20,69 @@ public class TheLoadTempDataMethod
             public void RetrievesValuesFromCookie()
             {
                 var cookies = new HttpCookieCollection();
-                var cookie = new HttpCookie("__Controller::TempData");
-                cookie.HttpOnly = true;
+                var tempData = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase)
+                {
+                    { "message", "Say hello to my little friend" },
+                    { "question", "How am I funny?" }
+                };
+
+                // Serialize and protect the tempData dictionary
+                var json = JsonConvert.SerializeObject(tempData);
+                var protectedBytes = MachineKey.Protect(Encoding.UTF8.GetBytes(json), "__Controller::TempData");
+                var cookie = new HttpCookie("__Controller::TempData")
+                {
+                    HttpOnly = true,
+                    Secure = true,
+                    Value = Convert.ToBase64String(protectedBytes)
+                };
                 cookies.Add(cookie);
-                cookie["message"] = "Say hello to my little friend";
-                cookie["question"] = "How am I funny?";
+
                 var httpContext = new Mock<HttpContextBase>();
                 httpContext.Setup(c => c.Request.Cookies).Returns(cookies);
                 ITempDataProvider provider = new CookieTempDataProvider(httpContext.Object);
                 var controllerContext = new ControllerContext();
 
-                var tempData = provider.LoadTempData(controllerContext);
+                var loadedTempData = provider.LoadTempData(controllerContext);
 
-                Assert.Equal(2, tempData.Count);
-                Assert.Equal("Say hello to my little friend", tempData["message"]);
-                Assert.Equal("How am I funny?", tempData["question"]);
-                Assert.Equal("How am I funny?", tempData["QUESTION"]);
+                Assert.Equal(2, loadedTempData.Count);
+                Assert.Equal("Say hello to my little friend", loadedTempData["message"]);
+                Assert.Equal("How am I funny?", loadedTempData["question"]);
+                Assert.Equal("How am I funny?", loadedTempData["QUESTION"]);
             }
 
 
             [Fact]
             public void DoesNotThrowWhenKeyValuesFromCookieContainsNullKey()
             {
                 var cookies = new HttpCookieCollection();
-                var cookie = new HttpCookie("__Controller::TempData");
-                cookie.HttpOnly = true;
+                var tempData = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase)
+                {
+                    { "message", "Say hello to my little friend" },
+                    { "question", "How am I funny?" }
+                };
+
+                // Serialize and protect the tempData dictionary
+                var json = JsonConvert.SerializeObject(tempData);
+                var protectedBytes = MachineKey.Protect(Encoding.UTF8.GetBytes(json), "__Controller::TempData");
+                var cookie = new HttpCookie("__Controller::TempData")
+                {
+                    HttpOnly = true,
+                    Secure = true,
+                    Value = Convert.ToBase64String(protectedBytes)
+                };
                 cookies.Add(cookie);
-                cookie["message"] = "Say hello to my little friend";
-                cookie["question"] = "How am I funny?";
-                cookie[null] = "This should be ignored.";
+
                 var httpContext = new Mock<HttpContextBase>();
                 httpContext.Setup(c => c.Request.Cookies).Returns(cookies);
                 ITempDataProvider provider = new CookieTempDataProvider(httpContext.Object);
                 var controllerContext = new ControllerContext();
 
-                var tempData = provider.LoadTempData(controllerContext);
+                var loadedTempData = provider.LoadTempData(controllerContext);
 
-                Assert.Equal(2, tempData.Count);
-                Assert.Equal("Say hello to my little friend", tempData["message"]);
-                Assert.Equal("How am I funny?", tempData["question"]);
-                Assert.Equal("How am I funny?", tempData["QUESTION"]);
+                Assert.Equal(2, loadedTempData.Count);
+                Assert.Equal("Say hello to my little friend", loadedTempData["message"]);
+                Assert.Equal("How am I funny?", loadedTempData["question"]);
+                Assert.Equal("How am I funny?", loadedTempData["QUESTION"]);
             }
 
             [Fact]
@@ -102,22 +128,28 @@ public void StoresValuesInCookieInEncodedFormat()
                 ITempDataProvider provider = new CookieTempDataProvider(httpContext.Object);
                 var controllerContext = new ControllerContext();
 
-                provider.SaveTempData(
-                    controllerContext,
-                    new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase)
-                        {
-                            { "message", "Say hello to my little friend" },
-                            { "key2", 123 },
-                            { "key3", "dumb&dumber?:;,isit" }
-                        });
+                var tempData = new Dictionary<string, object>(StringComparer.OrdinalIgnoreCase)
+                {
+                    { "message", "Say hello to my little friend" },
+                    { "key2", 123 },
+                    { "key3", "dumb&dumber?:;,isit" }
+                };
+                provider.SaveTempData(controllerContext, tempData);
 
                 Assert.Single(cookies);
-                Assert.True(cookies[0].HttpOnly);
-                Assert.True(cookies[0].Secure);
-                Assert.Equal(3, cookies[0].Values.Count);
-                Assert.Equal(HttpUtility.UrlEncode("Say hello to my little friend"), cookies[0]["message"]);
-                Assert.Equal(HttpUtility.UrlEncode("123"), cookies[0]["key2"]);
-                Assert.Equal(HttpUtility.UrlEncode("dumb&dumber?:;,isit"), cookies[0]["key3"]);
+                var cookie = cookies["__Controller::TempData"];
+                Assert.True(cookie.HttpOnly);
+                Assert.True(cookie.Secure);
+
+                // Decrypt and deserialize the cookie value
+                var unprotectedBytes = MachineKey.Unprotect(Convert.FromBase64String(cookie.Value), "__Controller::TempData");
+                var json = Encoding.UTF8.GetString(unprotectedBytes);
+                var deserialized = JsonConvert.DeserializeObject<Dictionary<string, object>>(json);
+
+                Assert.Equal(3, deserialized.Count);
+                Assert.Equal("Say hello to my little friend", deserialized["message"]);
+                Assert.Equal(123, Convert.ToInt32(deserialized["key2"]));
+                Assert.Equal("dumb&dumber?:;,isit", deserialized["key3"]);
             }
 
             [Fact]
@@ -160,4 +192,4 @@ public void WithInitialStateAndNoValuesClearsCookie()
             }
         }
     }
-}
+}
