Skip to content

Commit

Permalink
Merge pull request #8852 from NuGet/dev
Browse files Browse the repository at this point in the history 
[ReleasePrep][2021.10.15]RI of dev into main
  • Loading branch information
@loic-sharma
loic-sharma committed Oct 15, 2021
2 parents 790313d + bbe3f51 commit cc653c1
Show file tree
Hide file tree
Showing 10 changed files with 172 additions and 87 deletions.
11 changes: 10 additions & 1 deletion src/NuGetGallery.Services/Authentication/ApiKeyV4.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,16 @@ private bool TryParseInternal(string plaintextApiKey)
try
{
var id = plaintextApiKey.Substring(0, IdPartBase32Length);
var idBytes = id.AppendBase32Padding().ToUpper().FromBase32String();
var validId = id
.AppendBase32Padding()
.ToUpper()
.TryDecodeBase32String(out var idBytes);

if (!validId)
{
return false;
}

bool success = idBytes[0] == IdPrefix[0] && idBytes[1] == IdPrefix[1];

if (success)
Expand Down
18 changes: 16 additions & 2 deletions src/NuGetGallery.Services/Extensions/Base32Encoder.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,20 @@ public static string ToBase32String(this byte[] data)
return Encode(data);
}

public static bool TryDecodeBase32String(this string base32String, out byte[] result)
{
try
{
result = Decode(base32String);
return true;
}
catch (ArgumentException)
{
result = Array.Empty<byte>();
return false;
}
}

public static byte[] FromBase32String(this string base32String)
{
return Decode(base32String);
Expand All @@ -42,7 +56,7 @@ public static string Encode(byte[] data)
{
if (data == null)
{
throw new NullReferenceException(nameof(data));
throw new ArgumentNullException(nameof(data));
}

int ncTokens = GetTokenCount(data);
Expand All @@ -63,7 +77,7 @@ public static byte[] Decode(string base32String)
{
if (base32String == null)
{
throw new NullReferenceException(nameof(base32String));
throw new ArgumentNullException(nameof(base32String));
}

// Validate base32 format
Expand Down
19 changes: 11 additions & 8 deletions src/NuGetGallery.Services/Models/ReportPackageReason.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,22 @@ public enum ReportPackageReason
[Description("Other")]
Other,

[Description("The package has a bug/failed to install")]
[Description("A bug/failed to install")]
HasABugOrFailedToInstall,

[Description("The package contains malicious code")]
[Description("Malicious code")]
ContainsMaliciousCode,

[Description("The package is infringing my copyright or trademark")]
[Description("A security vulnerability")]
ContainsSecurityVulnerability,

[Description("Content infringing my copyright or trademark")]
ViolatesALicenseIOwn,

[Description("The package contains private/confidential data")]
[Description("Private/confidential data")]
ContainsPrivateAndConfidentialData,

[Description("The package was not intended to be published publicly on nuget.org")]
[Description("Content not intended to be published publicly on nuget.org")]
ReleasedInPublicByAccident,

[Description("Child sexual exploitation or abuse")]
Expand All @@ -31,13 +34,13 @@ public enum ReportPackageReason
[Description("Terrorism or violent extremism")]
TerrorismOrViolentExtremism,

[Description("The package contains hate speech")]
[Description("Hate speech")]
HateSpeech,

[Description("The package contains content related to imminent harm")]
[Description("Content related to imminent harm")]
ImminentHarm,

[Description("The package contains non-consensual intimate imagery (i.e. \"revenge porn\")")]
[Description("Non-consensual intimate imagery (i.e. \"revenge porn\")")]
RevengePorn,

[Description("Other nudity or pornography (not \"revenge porn\")")]
Expand Down
2 changes: 2 additions & 0 deletions src/NuGetGallery/Controllers/PackagesController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ public partial class PackagesController
{
ReportPackageReason.ViolatesALicenseIOwn,
ReportPackageReason.ContainsMaliciousCode,
ReportPackageReason.ContainsSecurityVulnerability,
ReportPackageReason.HasABugOrFailedToInstall,
ReportPackageReason.Other
};
Expand All @@ -71,6 +72,7 @@ public partial class PackagesController
{
ReportPackageReason.ViolatesALicenseIOwn,
ReportPackageReason.ContainsMaliciousCode,
ReportPackageReason.ContainsSecurityVulnerability,
ReportPackageReason.HasABugOrFailedToInstall,
ReportPackageReason.ChildSexualExploitationOrAbuse,
ReportPackageReason.TerrorismOrViolentExtremism,
Expand Down
1 change: 1 addition & 0 deletions src/NuGetGallery/Controllers/UsersController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -624,6 +624,7 @@ public virtual ActionResult ForgotPassword()

[HttpPost]
[ValidateAntiForgeryToken]
[ValidateRecaptchaResponse]
public virtual async Task<ActionResult> ForgotPassword(ForgotPasswordViewModel model)
{
// We don't want Login to have us as a return URL
Expand Down
3 changes: 1 addition & 2 deletions src/NuGetGallery/ViewModels/ReportViewModel.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,8 @@ public abstract class ReportViewModel : IPackageVersionModel

public string PackageVersion { get; set; }

[NotEqual(ReportPackageReason.HasABugOrFailedToInstall, ErrorMessage = "Unfortunately we cannot provide support for bugs in NuGet Packages. Please contact owner(s) for assistance.")]
[Required(ErrorMessage = "You must select a reason for reporting the package.")]
[Display(Name = "Reason")]
[Required(ErrorMessage = "You must select a reason for reporting the package.")]
public ReportPackageReason? Reason { get; set; }

[Display(Name = "Send me a copy")]
Expand Down
96 changes: 56 additions & 40 deletions src/NuGetGallery/Views/Packages/ReportAbuse.cshtml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
@model ReportAbuseViewModel
@{
ViewBag.Title = "Report Abuse by " + Model.PackageId + " " + Model.PackageVersion;
ViewBag.Title = "Report Package " + Model.PackageId + " " + Model.PackageVersion;
ViewBag.MdPageColumns = GalleryConstants.ColumnsFormMd;
string returnUrl = ViewData.ContainsKey(GalleryConstants.ReturnUrlViewDataKey) ? (string)ViewData[GalleryConstants.ReturnUrlViewDataKey] : Request.RawUrl;
}
Expand All @@ -9,44 +9,68 @@
<div class="row report-form">
<div class="@ViewHelpers.GetColumnClasses(ViewBag)">
@Html.Partial(
"_PackageHeading",
"_PackageHeading",
new PackageHeadingModel(
Model.PackageId,
Model.PackageVersion,
"Report abuse"))
Model.PackageId,
Model.PackageVersion,
"Report package"))

<h2><strong>If this package has a bug/failed to install</strong></h2>
@ViewHelpers.AlertWarning(isAlertRole: true, htmlContent:
@<text>
<strong>Important - Please do not use this form to report a bug in a package you are using!</strong><br />
This form is for reporting abusive packages such as
packages containing malicious code or spam. If "@Model.PackageId" simply doesn't
work, or if you need help getting the package installed, please
Please do not report using the form below - that is reserved for abusive packages, such as those containing malicious code or spam.
<br />
<br />
If "@Model.PackageId" simply doesn't work, or if you need help getting the package installed, please
<a href="@Url.ContactOwners(Model)" title="contact the owners">contact the owners instead.</a>
</text>
)

<p tabindex="0">
Please provide a detailed abuse report with evidence to support your claim! We cannot delete packages without evidence that they exhibit malicious behavior.
</p>
<h2><strong>To report a security vulnerability</strong></h2>
@ViewHelpers.AlertWarning(isAlertRole: true, htmlContent:
@<text>
Please report security vulnerabilities through the <a href="https://msrc.microsoft.com/create-report" title="report a security vulnerability">official portal</a>.
If this is not a Microsoft - owned package, consider also <a href="@Url.ContactOwners(Model)" title="contact the owners">contacting the owners</a>.
</text>
)

<h2><strong>To report abuse, use this form</strong></h2>
@if (!Model.ConfirmedUser)
{
<p tabindex="0">
Note: If this is your package and you would like to contact support, please
<a href="@Url.LogOn(returnUrl)">sign in.</a>
</p>
@ViewHelpers.AlertWarning(isAlertRole: true, htmlContent:
@<text>
If this is your package, please <a href="@Url.LogOn(returnUrl)">sign in</a> to contact support.
</text>
)
}
<p tabindex="0">
<text>
Please provide a detailed abuse report with evidence to support your claim! We cannot delete packages without evidence that they exhibit malicious behavior.
</text>
</p>

@using (Html.BeginForm())
{
@Html.AntiForgeryToken()

<div id="form-field-reason" class="form-group @Html.HasErrorFor(m => m.Reason)">
@Html.ShowLabelFor(m => m.Reason)
<p tabindex="0">Please select the reason for contacting support about this package.</p>
<p tabindex="0">Please select the reason for contacting support about this package. This package contains:</p>
@Html.ShowEnumDropDownListFor(m => m.Reason, Model.ReasonChoices, "<Choose a Reason>")
@Html.ShowValidationMessagesFor(m => m.Reason)
</div>

<div class="reason-error-has-a-bug" tabindex="0">
<p>
Unfortunately we cannot provide support for bugs in NuGet packages. Please <a href="@Url.ContactOwners(Model)" title="contact the owners">contact the owners</a> for assistance.
</p>
</div>
<div class="reason-error-security-vulnerability" tabindex="0">
<p>
Please report security vulnerabilities through the <a href="https://msrc.microsoft.com/create-report" title="report a security vulnerability">official portal</a>.
If this is not a Microsoft - owned package, consider also <a href="@Url.ContactOwners(Model)" title="contact the owners">contacting the owners</a>.
</p>
</div>
<div id="report-abuse-form">
<div class="form-group @Html.HasErrorFor(m => m.Email)">
@Html.ShowLabelFor(m => m.Email)
Expand All @@ -73,11 +97,6 @@
Note: Please complete this form and submit it so we can proceed with an appropriate response regarding the NuGet package (e.g. removing it). In addition, please proceed to <a href="https://report.cybertip.org">https://report.cybertip.org</a> to report the matter in more detail.
</p>
</div>
<div class="terrorism-or-violent-extremism" tabindex="0">
<p>
Note: Please complete this form and submit it so we can proceed with an appropriate response regarding the NuGet package (e.g. removing it). In addition, please proceed to <a href="https://www.microsoft.com/en-au/concern/terroristcontent">https://www.microsoft.com/en-au/concern/terroristcontent</a> to report the matter in more detail.
</p>
</div>
<div class="imminent-harm" tabindex="0">
<p>
Note: please ensure when reporting this type of abuse that you've considered whether the following are present:
Expand All @@ -89,11 +108,6 @@
</ul>
</p>
</div>
<div class="revenge-porn" tabindex="0">
<p>
Note: Please complete this form and submit it so we can proceed with an appropriate response regarding the NuGet package (e.g. removing it). In addition, please proceed to <a href="https://www.microsoft.com/en-us/concern/revengeporn">https://www.microsoft.com/en-us/concern/revengeporn</a> to report the matter in more detail.
</p>
</div>
@Html.ShowTextAreaFor(m => m.Message, 10, 50)
@Html.ShowValidationMessagesFor(m => m.Message)
</div>
Expand Down Expand Up @@ -139,12 +153,26 @@
$form.validate().element($('#Reason'));
}
if (val === 'HasABugOrFailedToInstall') {
// For error conditions, hide the other form fields and show error messages
if (val === 'HasABugOrFailedToInstall'
|| val === 'ContainsSecurityVulnerability') {
$('#report-abuse-form').hide();
} else {
$('#report-abuse-form').show();
}
if (val === 'HasABugOrFailedToInstall') {
$form.find('.reason-error-has-a-bug').show();
} else {
$form.find('.reason-error-has-a-bug').hide();
}
if (val === 'ContainsSecurityVulnerability') {
$form.find('.reason-error-security-vulnerability').show();
} else {
$form.find('.reason-error-security-vulnerability').hide();
}
// We don't suggest the customer contact the owner in the case of safety violations
if (val === 'ChildSexualExploitationOrAbuse'
|| val === 'TerrorismOrViolentExtremism'
Expand All @@ -163,24 +191,12 @@
$form.find('.child-sexual-exploitation').hide();
}
if (val === 'TerrorismOrViolentExtremism') {
$form.find('.terrorism-or-violent-extremism').show();
} else {
$form.find('.terrorism-or-violent-extremism').hide();
}
if (val === 'ImminentHarm') {
$form.find('.imminent-harm').show();
} else {
$form.find('.imminent-harm').hide();
}
if (val === 'RevengePorn') {
$form.find('.revenge-porn').show();
} else {
$form.find('.revenge-porn').hide();
}
if (val == 'ViolatesALicenseIOwn') {
$form.find('.infringement-claim-requirements').show();
$('#Signature').rules("add", {
Expand Down
8 changes: 6 additions & 2 deletions src/NuGetGallery/Views/Users/ForgotPassword.cshtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,14 @@
@Html.ShowValidationMessagesForEmpty()
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary form-control" value="Send" />
<input id="Submit" type="submit" class="btn btn-primary form-control" value="Send" />
</div>
}
</div>
</div>
</div>
</section>
</section>

@section BottomScripts {
@ViewHelpers.RecaptchaScripts(Config.Current.ReCaptchaPublicKey, "Submit")
}
3 changes: 2 additions & 1 deletion tests/NuGetGallery.Facts/Infrastructure/Authentication/ApiKeyV4Facts.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,10 @@ public void CreatesAValidApiKey()
[InlineData(" ")]
[InlineData("abc")]
[InlineData("SEMTXET5UU6UZDD4AMK57TR46I==")]
[InlineData("0000thisis46charactersbutnotvalidbase32encoded")]
public void TryParseFailsForIllegalApiKeys(string inputApiKey)
{
// Act
// Act
bool result = ApiKeyV4.TryParse(inputApiKey, out var apiKey);

// Assert
Expand Down
Loading

0 comments on commit cc653c1

Please sign in to comment.