Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NuGet package generation does not properly escape repository URL #41057

Closed
jmezach opened this issue May 21, 2024 · 2 comments
Closed

NuGet package generation does not properly escape repository URL #41057

jmezach opened this issue May 21, 2024 · 2 comments
Labels
Area-NuGet

Comments

@jmezach
Copy link

jmezach commented May 21, 2024

Describe the bug

As part of our Azure Pipeline we are creating some NuGet packages using the dotnet pack command. When doing this we are explicitly passing the RepositoryUrl property with the $(Build.Repository.Uri) Azure Pipeline pre-defined variable. Since the name of the repository a particular package is being build from has a space in it, this becomes a URL that also has a space in it.

Unfortunately I think this is causing problems further down the line. For example, in our case we are consuming this package in another project. For that project, we are generating a Software Bill of Materials (SBOM) using Cyclone DX. That same URL then ends up in the generated SBOM, including the spaces. That in turn is not accepted by DependencyTrack as the URL does not adhere to RFC 3987. I've filled an issue over there (see DependencyTrack/dependencytrack#3741) but they suggest we fix this at the source which makes sense.

To Reproduce

  1. Create a new library project using dotnet new classlib
  2. Package the project using dotnet pack -p RepositoryUrl="https://somewhere.com/with spaces"
  3. Examine the package using NuGet Package Explorer
  4. See that the URL is put into the .nuspec verbatim with no escaping of spaces.

Note: The provided URL in the example (https://somewhere.com/with spaces) also doesn't pass a test with Uri.IsWellFormedUriString()

Exceptions (if any)

Not seeing any exceptions

Further technical details

  • Include the output of dotnet --info

.NET SDK:
Version: 8.0.201
Commit: 4c2d78f037
Workload version: 8.0.200-manifests.5638171e

Runtime Environment:
OS Name: Mac OS X
OS Version: 14.5
OS Platform: Darwin
RID: osx-arm64
Base Path: /usr/local/share/dotnet/sdk/8.0.201/

.NET workloads installed:
[maui-ios]
Installation Source: SDK 8.0.200
Manifest Version: 8.0.6/8.0.100
Manifest Path: /usr/local/share/dotnet/sdk-manifests/8.0.100/microsoft.net.sdk.maui/8.0.6/WorkloadManifest.json
Install Type: FileBased

[maui-android]
Installation Source: SDK 8.0.200
Manifest Version: 8.0.6/8.0.100
Manifest Path: /usr/local/share/dotnet/sdk-manifests/8.0.100/microsoft.net.sdk.maui/8.0.6/WorkloadManifest.json
Install Type: FileBased

Host:
Version: 8.0.2
Architecture: arm64
Commit: 1381d5ebd2

.NET SDKs installed:
6.0.413 [/usr/local/share/dotnet/sdk]
6.0.417 [/usr/local/share/dotnet/sdk]
6.0.419 [/usr/local/share/dotnet/sdk]
7.0.402 [/usr/local/share/dotnet/sdk]
8.0.100 [/usr/local/share/dotnet/sdk]
8.0.101 [/usr/local/share/dotnet/sdk]
8.0.201 [/usr/local/share/dotnet/sdk]

.NET runtimes installed:
Microsoft.AspNetCore.App 6.0.21 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.25 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.27 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 7.0.12 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.1 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.2 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 6.0.21 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.25 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.27 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.12 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.1 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.2 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
None

Environment variables:
Not set

global.json file:
Not found

Learn more:
https://aka.ms/dotnet/info

Download .NET:
https://aka.ms/dotnet/download

  • The IDE (VS / VS Code/ VS4Mac) you're running on, and its version

VS Code 1.89.1
@dotnet-issue-labeler dotnet-issue-labeler bot added Area-NetSDK untriaged Request triage from a team member labels May 21, 2024
@MiYanni MiYanni added Area-NuGet and removed untriaged Request triage from a team member type-investigation Area-NetSDK labels Mar 6, 2025
@MiYanni MiYanni removed their assignment Mar 7, 2025
@MiYanni
Copy link
Member

MiYanni commented Mar 7, 2025

@dotnet/nuget-team Seems like something is incorrect when going from the MSBuild property information (for URL properties) into generating the .nuspec.

@aortiz-msft
Copy link

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

cc @MiYanni

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-NuGet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmezach @MiYanni @aortiz-msft