(GH-466) Credential cache validates against base url

First atttempt to validate against the exact path for the source Uri, but when that fails due to subpaths in the source uri string, also attempt to validate credentials against the host Uri as well. In most cases this should be fine, however there could be a very slight security issue if the host domain is tracking calls on the credentials when the sub path is owned by someone different, such as in shared hosting where the domain is shared and the subpaths are different for everyone. The chances of this are extremely slight given that most hosting for NuGet Servers own the virtual site or are used internally. In most cases those host domains probably already validate your user name/password in other places. It is worth noting though. Only use hosting solutions you trust.
chocolatey · Feb 4, 2016 · 98c9f7a · 98c9f7a
1 parent 2d8c717
commit 98c9f7a
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/src/chocolatey/infrastructure.app/nuget/ChocolateyNugetCredentialProvider.cs b/src/chocolatey/infrastructure.app/nuget/ChocolateyNugetCredentialProvider.cs
@@ -18,6 +18,7 @@ namespace chocolatey.infrastructure.app.nuget
     using System;
     using System.Linq;
     using System.Net;
+    using commandline;
     using NuGet;
     using configuration;
     using logging;
@@ -56,10 +57,27 @@ public ICredentials GetCredentials(Uri uri, IWebProxy proxy, CredentialType cred
 
             var source = _config.MachineSources.FirstOrDefault(s =>
                 {
-                    var sourceUri = s.Key.TrimEnd('/');
-                    return sourceUri.is_equal_to(uri.OriginalString.TrimEnd('/')) 
-                        && !string.IsNullOrWhiteSpace(s.Username)
-                        && !string.IsNullOrWhiteSpace(s.EncryptedPassword);
+                    var sourceUrl = s.Key.TrimEnd('/');
+
+                    var equalAtFullUri = sourceUrl.is_equal_to(uri.OriginalString.TrimEnd('/'))
+                       && !string.IsNullOrWhiteSpace(s.Username)
+                       && !string.IsNullOrWhiteSpace(s.EncryptedPassword);
+
+                    if (equalAtFullUri) return true;
+
+                    try
+                    {
+                        var sourceUri = new Uri(sourceUrl);
+                        return sourceUri.Host.is_equal_to(uri.Host.TrimEnd('/'))
+                            && !string.IsNullOrWhiteSpace(s.Username)
+                            && !string.IsNullOrWhiteSpace(s.EncryptedPassword);
+                    }
+                    catch (Exception)
+                    {
+                        this.Log().Error("Source '{0}' is not a valid Uri".format_with(sourceUrl));
+                    }
+
+                    return false;
                 });
 
             if (source == null)