Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to extract files from nupkg when different file name encoding is used #33

Closed
gep13 opened this issue Aug 30, 2022 · 0 comments
Closed

Unable to extract files from nupkg when different file name encoding is used #33

gep13 opened this issue Aug 30, 2022 · 0 comments
Labels
enhancement Security
Milestone
2.11.0.20220901

Comments

@gep13
Copy link
Member

gep13 commented Aug 30, 2022
edited
Loading

Impact

When extracting the contents of a Chocolatey package (a .nupkg file), depending on the encoding of the file name, Chocolatey is not able to understand about the existence of the file. This causes a problem in terms of how Chocolatey interrogates the contents of a file in order to send a file for scanning (via VirusTotal), as well as performing other functions on the file.

This means that there is the potential for a malicious file to be included within the nupkg file, and for Chocolatey not to be aware of the problem.

This issue stems from a change in the way that the underlying NuGet libraries handle the encoding of file names when they are added to the nupkg file. We need to make NuGet.Core aware of the all the known ways to encode the file name, so that it can correctly handle the extraction of all files contained within the nupkg file.

Patches

A fix for this problem has been released in version 1.2.0 of Chocolatey CLI and we would recommend that everyone upgrade to this.

Workarounds

There are no known workaround to this problem.

References

N/A
@gep13 gep13 added this to the 2.11.0.20220901 milestone Oct 21, 2022
@gep13 gep13 changed the title TBD Unable to extract files from nupkg when different file name encoding is used Oct 21, 2022
@gep13 gep13 closed this as completed Oct 21, 2022
gep13 pushed a commit that referenced this issue Oct 21, 2022
@TheCakeIsNaOH
(#33) Add DotNetZip to use for package extraction
ef9e97d 
This commit add DotNetZip to use for extracting nupkgs.
The System.IO.Packaging code is not able to extract files within
nupkgs that contain special characters like spaces or at symbols.
This causes those files to not be extracted from nupkgs when this
library is used by consumers like Chocolatey CLI. This will cause
prolems when packages packed with future versions of Chocolatey CLI
that use NuGet SDK assemblies as files with special characters are not
encoded due to changes in how NuGet operates, and therefore those
packages would be incompatible with older versions of Chocolatey CLI.
It also would effect the Community Repository services in a similar
way, as they also use this library.

This commit then switches the ZipPackage and OptimizedZipPackage
classes to use DotNetZip as the primary way to extract nupkgs. This
allows for the extraction of files with filenames that have special
characters. If DotNetZip is unable to read a passed in package, it
will fall back to the system Packaging code.

The build.cmd is updated to restore the DotNetZip package because
msbuild was not happy about restoreing it. The strongname script was
also updated to include the DotNetZip assembly in the ilmerged final
assembly so a specific reference to DotNetZip is not required in
projects that consume this library.
gep13 added a commit that referenced this issue Oct 21, 2022
@gep13
Merge branch 'dotnetzip-package-add' into 2.11_adds
7db12c1 
* dotnetzip-package-add:
  (#33) Add DotNetZip to use for package extraction
  (maint) Update NuGet.exe to v6.2.1
@TheCakeIsNaOH TheCakeIsNaOH mentioned this issue Nov 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Security
Projects
None yet
Milestone
2.11.0.20220901
Development

No branches or pull requests
1 participant
@gep13