Only allowing lowercase 'tags' element in package metadata. (#9022)

agr · web-flow · commit deb2fe7c07ed · 2022-02-25T15:19:49.000-08:00
diff --git a/src/NuGetGallery.Core/Packaging/PackageMetadata.cs b/src/NuGetGallery.Core/Packaging/PackageMetadata.cs
@@ -40,6 +40,8 @@ public class PackageMetadata
             "serviceable",
         };
 
+        private const string TagsElement = "tags";
+
         private readonly Dictionary<string, string> _metadata;
         private readonly IReadOnlyCollection<PackageDependencyGroup> _dependencyGroups;
         private readonly IReadOnlyCollection<FrameworkSpecificGroup> _frameworkReferenceGroups;
@@ -237,9 +239,18 @@ public static PackageMetadata FromNuspecReader(NuspecReader nuspecReader, bool s
                 }
             }
 
-            // Reject invalid metadata element names. Today this only rejects element names that collide with
-            // properties generated downstream.
-            var metadataKeys = new HashSet<string>(metadataLookup.Select(g => g.Key));
+            // Reject invalid metadata element names.
+            var metadataElements = metadataLookup.Select(g => g.Key).ToList();
+            var unexpectedTagsCasings = metadataElements.Where(element => element.Equals(TagsElement, StringComparison.OrdinalIgnoreCase) && element != TagsElement).ToList();
+            if (unexpectedTagsCasings.Any())
+            {
+                throw new PackagingException(string.Format(
+                    CoreStrings.Manifest_InvalidMetadataElements,
+                    string.Join("', '", unexpectedTagsCasings.OrderBy(x => x))));
+            }
+
+            // This only rejects element names that collide with properties generated downstream.
+            var metadataKeys = new HashSet<string>(metadataElements);
             metadataKeys.IntersectWith(RestrictedMetadataElements);
             if (metadataKeys.Any())
             {
diff --git a/tests/NuGetGallery.Core.Facts/Packaging/PackageMetadataFacts.cs b/tests/NuGetGallery.Core.Facts/Packaging/PackageMetadataFacts.cs
@@ -338,6 +338,48 @@ public void DoesNotThrowWhenInvalidDependencyVersionRangeDetectedAndParsingIsNot
             Assert.Equal(VersionRange.All, dependency.VersionRange);
         }
 
+        [Theory]
+        [InlineData("tagS")]
+        [InlineData("taGs")]
+        [InlineData("taGS")]
+        [InlineData("tAgs")]
+        [InlineData("tAgS")]
+        [InlineData("tAGs")]
+        [InlineData("tAGS")]
+        [InlineData("Tags")]
+        [InlineData("TagS")]
+        [InlineData("TaGs")]
+        [InlineData("TaGS")]
+        [InlineData("TAgs")]
+        [InlineData("TAgS")]
+        [InlineData("TAGs")]
+        [InlineData("TAGS")]
+        public void ThrowsForUppercaseTags(string tags)
+        {
+            var packageStream = CreateTestPackageStreamWithMetadataElementName(tags, "foo bar baz");
+            var nupkg = new PackageArchiveReader(packageStream, leaveStreamOpen: false);
+            var nuspec = nupkg.GetNuspecReader();
+
+            var ex = Assert.Throws<PackagingException>(() => PackageMetadata.FromNuspecReader(
+                nuspec,
+                strict: false));
+            Assert.Equal($"The package manifest contains invalid metadata elements: '{tags}'", ex.Message);
+        }
+
+        [Fact]
+        public void DoesntThrowForLowercaseTags()
+        {
+            var packageStream = CreateTestPackageStreamWithMetadataElementName("tags", "foo bar baz");
+            var nupkg = new PackageArchiveReader(packageStream, leaveStreamOpen: false);
+            var nuspec = nupkg.GetNuspecReader();
+
+            var ex = Record.Exception(() => PackageMetadata.FromNuspecReader(
+                nuspec,
+                strict: false));
+
+            Assert.Null(ex);
+        }
+
         private static Stream CreateTestPackageStream()
         {
             return CreateTestPackageStream(@"<?xml version=""1.0""?>
