Skip to content

Request for catalog listing access for finding packages #1824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 44 additions & 27 deletions src/code/ContainerRegistryServerAPICalls.cs
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@
const string containerRegistryStartUploadTemplate = "https://{0}/v2/{1}/blobs/uploads/"; // 0 - registry, 1 - packagename
const string containerRegistryEndUploadTemplate = "https://{0}{1}&digest=sha256:{2}"; // 0 - registry, 1 - location, 2 - digest
const string defaultScope = "&scope=repository:*:*&scope=registry:catalog:*";
const string catalogScope = "&scope=registry:catalog:*";
const string grantTypeTemplate = "grant_type=access_token&service={0}{1}"; // 0 - registry, 1 - scope
const string authUrlTemplate = "{0}?service={1}{2}"; // 0 - realm, 1 - service, 2 - scope

const string containerRegistryRepositoryListTemplate = "https://{0}/v2/_catalog"; // 0 - registry

#endregion
Expand Down Expand Up @@ -323,7 +327,7 @@
return null;
}

string containerRegistryAccessToken = GetContainerRegistryAccessToken(out errRecord);
string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, out errRecord);
if (errRecord != null)
{
return null;
Expand Down Expand Up @@ -371,7 +375,7 @@
/// If no credential provided at registration then, check if the ACR endpoint can be accessed without a token. If not, try using Azure.Identity to get the az access token, then ACR refresh token and then ACR access token.
/// Note: Access token can be empty if the repository is unauthenticated
/// </summary>
internal string GetContainerRegistryAccessToken(out ErrorRecord errRecord)
internal string GetContainerRegistryAccessToken(bool needCatalogAccess, out ErrorRecord errRecord)
{
_cmdletPassedIn.WriteDebug("In ContainerRegistryServerAPICalls::GetContainerRegistryAccessToken()");
string accessToken = string.Empty;
Expand All @@ -393,7 +397,7 @@
}
else
{
bool isRepositoryUnauthenticated = IsContainerRegistryUnauthenticated(Repository.Uri.ToString(), out errRecord, out accessToken);
bool isRepositoryUnauthenticated = IsContainerRegistryUnauthenticated(Repository.Uri.ToString(), needCatalogAccess, out errRecord, out accessToken);
if (errRecord != null)
{
return null;
Expand Down Expand Up @@ -444,7 +448,7 @@
/// <summary>
/// Checks if container registry repository is unauthenticated.
/// </summary>
internal bool IsContainerRegistryUnauthenticated(string containerRegistyUrl, out ErrorRecord errRecord, out string anonymousAccessToken)
internal bool IsContainerRegistryUnauthenticated(string containerRegistyUrl, bool needCatalogAccess, out ErrorRecord errRecord, out string anonymousAccessToken)
{
_cmdletPassedIn.WriteDebug("In ContainerRegistryServerAPICalls::IsContainerRegistryUnauthenticated()");
errRecord = null;
Expand Down Expand Up @@ -482,18 +486,22 @@
return false;
}

string content = "grant_type=access_token&service=" + service + defaultScope;
string content = needCatalogAccess ? String.Format(grantTypeTemplate, service, catalogScope) : String.Format(grantTypeTemplate, service, defaultScope);

var contentHeaders = new Collection<KeyValuePair<string, string>> { new KeyValuePair<string, string>("Content-Type", "application/x-www-form-urlencoded") };

// get the anonymous access token
var url = $"{realm}?service={service}{defaultScope}";
string url = needCatalogAccess ? String.Format(authUrlTemplate, realm, service, catalogScope) : String.Format(authUrlTemplate, realm, service, defaultScope);

// we dont check the errorrecord here because we want to return false if we get a 401 and not throw an error
var results = GetHttpResponseJObjectUsingContentHeaders(url, HttpMethod.Get, content, contentHeaders, out _);
_cmdletPassedIn.WriteDebug($"Getting anonymous access token from the realm: {url}");
ErrorRecord errRecordTemp = null;

var results = GetHttpResponseJObjectUsingContentHeaders(url, HttpMethod.Get, content, contentHeaders, out errRecordTemp);

if (results == null)
{
_cmdletPassedIn.WriteDebug("Failed to get access token from the realm. results is null.");
_cmdletPassedIn.WriteDebug($"ErrorRecord: {errRecordTemp}");
return false;
}

Expand All @@ -504,6 +512,7 @@
}

anonymousAccessToken = results["access_token"].ToString();

_cmdletPassedIn.WriteDebug("Anonymous access token retrieved");
return true;
}
Expand Down Expand Up @@ -984,24 +993,29 @@
{
HttpRequestMessage request = new HttpRequestMessage(method, url);

if (string.IsNullOrEmpty(content))
// HTTP GET does not expect a body / content.
if (method != HttpMethod.Get)
{
errRecord = new ErrorRecord(
exception: new ArgumentNullException($"Content is null or empty and cannot be used to make a request as its content headers."),
"RequestContentHeadersNullOrEmpty",
ErrorCategory.InvalidData,
_cmdletPassedIn);

return null;
}
if (string.IsNullOrEmpty(content))
{
errRecord = new ErrorRecord(
exception: new ArgumentNullException($"Content is null or empty and cannot be used to make a request as its content headers."),
"RequestContentHeadersNullOrEmpty",
ErrorCategory.InvalidData,
_cmdletPassedIn);

request.Content = new StringContent(content);
request.Content.Headers.Clear();
if (contentHeaders != null)
{
foreach (var header in contentHeaders)
return null;
}

request.Content = new StringContent(content);

Check warning

Code scanning / CodeQL

Information exposure through transmitted data Medium

This data transmitted to the user depends on
sensitive information
.
This data transmitted to the user depends on
sensitive information
.

Copilot Autofix

AI about 21 hours ago

To fix the issue, the sensitive data (password) should not be directly included in the content variable. Instead, the code should use a secure mechanism to transmit authentication information, such as an encrypted token or a secure header. If the password must be used, it should be hashed or encrypted before transmission. Additionally, the code should ensure that sensitive data is not logged or exposed in error messages.

The fix involves:

  1. Modifying the Utils.GetContainerRegistryAccessTokenFromSecretManagement method to return a secure token instead of a plaintext password.
  2. Updating the content variable in ContainerRegistryServerAPICalls.cs to use the secure token instead of the password.
  3. Ensuring that sensitive data is not logged or exposed in error messages.
Suggested changeset 2
src/code/ContainerRegistryServerAPICalls.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/code/ContainerRegistryServerAPICalls.cs b/src/code/ContainerRegistryServerAPICalls.cs
--- a/src/code/ContainerRegistryServerAPICalls.cs
+++ b/src/code/ContainerRegistryServerAPICalls.cs
@@ -552,3 +552,3 @@
             _cmdletPassedIn.WriteDebug("In ContainerRegistryServerAPICalls::GetContainerRegistryRefreshToken()");
-            string content = string.Format(containerRegistryRefreshTokenTemplate, Registry, tenant, accessToken);
+            string content = string.Format(containerRegistryRefreshTokenTemplate, Registry, tenant, Convert.ToBase64String(Encoding.UTF8.GetBytes(accessToken)));
             var contentHeaders = new Collection<KeyValuePair<string, string>> { new KeyValuePair<string, string>("Content-Type", "application/x-www-form-urlencoded") };
EOF
@@ -552,3 +552,3 @@
_cmdletPassedIn.WriteDebug("In ContainerRegistryServerAPICalls::GetContainerRegistryRefreshToken()");
string content = string.Format(containerRegistryRefreshTokenTemplate, Registry, tenant, accessToken);
string content = string.Format(containerRegistryRefreshTokenTemplate, Registry, tenant, Convert.ToBase64String(Encoding.UTF8.GetBytes(accessToken)));
var contentHeaders = new Collection<KeyValuePair<string, string>> { new KeyValuePair<string, string>("Content-Type", "application/x-www-form-urlencoded") };
src/code/Utils.cs
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/code/Utils.cs b/src/code/Utils.cs
--- a/src/code/Utils.cs
+++ b/src/code/Utils.cs
@@ -719,3 +719,4 @@
                 string password = new NetworkCredential(string.Empty, secretSecureString).Password;
-                return password;
+                string secureToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(password));
+                return secureToken;
             }
@@ -724,3 +725,4 @@
                 string password = new NetworkCredential(string.Empty, psCredSecret.Password).Password;
-                return password;
+                string secureToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(password));
+                return secureToken;
             }
EOF
@@ -719,3 +719,4 @@
string password = new NetworkCredential(string.Empty, secretSecureString).Password;
return password;
string secureToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(password));
return secureToken;
}
@@ -724,3 +725,4 @@
string password = new NetworkCredential(string.Empty, psCredSecret.Password).Password;
return password;
string secureToken = Convert.ToBase64String(Encoding.UTF8.GetBytes(password));
return secureToken;
}
Copilot is powered by AI and may make mistakes. Always verify output.
request.Content.Headers.Clear();
if (contentHeaders != null)
{
request.Content.Headers.Add(header.Key, header.Value);
foreach (var header in contentHeaders)
{
request.Content.Headers.Add(header.Key, header.Value);
}
}
}

Expand Down Expand Up @@ -1230,7 +1244,7 @@

// Get access token (includes refresh tokens)
_cmdletPassedIn.WriteVerbose($"Get access token for container registry server.");
var containerRegistryAccessToken = GetContainerRegistryAccessToken(out errRecord);
var containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, out errRecord);
if (errRecord != null)
{
return false;
Expand Down Expand Up @@ -1695,7 +1709,7 @@
string packageNameLowercase = packageName.ToLower();

string packageNameForFind = PrependMARPrefix(packageNameLowercase);
string containerRegistryAccessToken = GetContainerRegistryAccessToken(out errRecord);
string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: false, out errRecord);
if (errRecord != null)
{
return emptyHashResponses;
Expand All @@ -1711,8 +1725,9 @@
List<JToken> allVersionsList = foundTags["tags"].ToList();

SortedDictionary<NuGet.Versioning.SemanticVersion, string> sortedQualifyingPkgs = GetPackagesWithRequiredVersion(allVersionsList, versionType, versionRange, requiredVersion, packageNameForFind, includePrerelease, out errRecord);
if (errRecord != null)
if (errRecord != null && sortedQualifyingPkgs?.Count == 0)
{
_cmdletPassedIn.WriteDebug("No qualifying packages found for the specified criteria.");
return emptyHashResponses;
}

Expand Down Expand Up @@ -1761,7 +1776,9 @@
ErrorCategory.InvalidArgument,
this);

return null;
_cmdletPassedIn.WriteError(errRecord);
_cmdletPassedIn.WriteDebug($"Skipping package '{packageName}' with version '{pkgVersionString}' as it is not a valid NuGet version.");
continue; // skip this version and continue with the next one
}

_cmdletPassedIn.WriteDebug($"'{packageName}' version parsed as '{pkgVersion}'");
Expand Down Expand Up @@ -1804,7 +1821,7 @@
{
_cmdletPassedIn.WriteDebug("In ContainerRegistryServerAPICalls::FindPackages()");
errRecord = null;
string containerRegistryAccessToken = GetContainerRegistryAccessToken(out errRecord);
string containerRegistryAccessToken = GetContainerRegistryAccessToken(needCatalogAccess: true, out errRecord);
if (errRecord != null)
{
return emptyResponseResults;
Expand Down
Loading