Skip to content

Commit 216148b

Browse files
Address code review security feedback
Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>
1 parent 13b2427 commit 216148b

File tree

4 files changed

+25
-5
lines changed

4 files changed

+25
-5
lines changed

src/functions/private/Auth/Context/Set-PowerShellGalleryContext.ps1

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,8 @@ function Set-PowerShellGalleryContext {
4646

4747
process {
4848
Write-Debug "Setting context: [$ID]"
49-
$contextObj = @{} + $Context
49+
# Create a copy of the context hashtable to avoid modifying the original
50+
$contextObj = $Context.Clone()
5051
$contextObj['ID'] = $ID
5152

5253
if ($PSCmdlet.ShouldProcess("Context [$ID]", 'Set')) {

src/functions/public/Auth/Connect-PowerShellGallery.ps1

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -97,13 +97,14 @@ function Connect-PowerShellGallery {
9797
return
9898
}
9999

100-
# Create context object
100+
# Create context object using centralized configuration
101+
$config = Get-PowerShellGalleryConfig
101102
$context = @{
102103
ID = $Name
103104
Name = $Name
104105
ApiKey = $ApiKey
105-
GalleryUrl = 'https://www.powershellgallery.com'
106-
ApiUrl = 'https://www.powershellgallery.com/api/v2'
106+
GalleryUrl = $config.GalleryUrl
107+
ApiUrl = $config.ApiUrl
107108
ConnectedAt = Get-Date
108109
}
109110

src/functions/public/Auth/Get-PowerShellGalleryAccessToken.ps1

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ function Get-PowerShellGalleryAccessToken {
77
Retrieves the PowerShell Gallery API key from the specified context.
88
Returns as SecureString by default, or as plain text with -AsPlainText.
99
10+
SECURITY NOTE: Using -AsPlainText exposes the API key in plain text in memory.
11+
This should only be used when necessary for API calls, and the plain text
12+
value should be cleared from memory as soon as possible after use.
13+
1014
.EXAMPLE
1115
Get-PowerShellGalleryAccessToken
1216
@@ -16,6 +20,7 @@ function Get-PowerShellGalleryAccessToken {
1620
Get-PowerShellGalleryAccessToken -Context 'MyAccount' -AsPlainText
1721
1822
Gets the API key from 'MyAccount' context as plain text.
23+
WARNING: This exposes the API key in plain text - use with caution.
1924
#>
2025
[Diagnostics.CodeAnalysis.SuppressMessageAttribute(
2126
'PSAvoidUsingConvertToSecureStringWithPlainText', '',

src/functions/public/Auth/Test-PowerShellGalleryAccess.ps1

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,8 +62,21 @@ function Test-PowerShellGalleryAccess {
6262
try {
6363
Write-Verbose 'Testing API connectivity...'
6464

65-
# Try to access the API root to validate connectivity
65+
# Validate API URL is a PowerShell Gallery endpoint for security
6666
$apiUrl = $contextObj.ApiUrl
67+
if ($apiUrl -notmatch '^https://.*powershellgallery\.com/') {
68+
Write-Warning "API URL does not appear to be a PowerShell Gallery endpoint: $apiUrl"
69+
$result = [PSCustomObject]@{
70+
Success = $false
71+
Context = $contextObj.Name
72+
ApiUrl = $apiUrl
73+
TestedAt = Get-Date
74+
Message = 'API URL validation failed - not a PowerShell Gallery endpoint'
75+
ConnectedAt = $contextObj.ConnectedAt
76+
}
77+
return $result
78+
}
79+
6780
$headers = @{
6881
'X-NuGet-ApiKey' = $apiKey
6982
}

0 commit comments

Comments
 (0)