Address code review security feedback

Copilot · MariusStorhaug · Copilot · commit 216148be0ef7 · 2026-01-27T10:46:13.000Z
Co-authored-by: MariusStorhaug &lt;17722253+MariusStorhaug@users.noreply.github.com&gt;
diff --git a/src/functions/private/Auth/Context/Set-PowerShellGalleryContext.ps1 b/src/functions/private/Auth/Context/Set-PowerShellGalleryContext.ps1
@@ -46,7 +46,8 @@ function Set-PowerShellGalleryContext {
 
     process {
         Write-Debug "Setting context: [$ID]"
-        $contextObj = @{} + $Context
+        # Create a copy of the context hashtable to avoid modifying the original
+        $contextObj = $Context.Clone()
         $contextObj['ID'] = $ID
 
         if ($PSCmdlet.ShouldProcess("Context [$ID]", 'Set')) {
diff --git a/src/functions/public/Auth/Connect-PowerShellGallery.ps1 b/src/functions/public/Auth/Connect-PowerShellGallery.ps1
@@ -97,13 +97,14 @@ function Connect-PowerShellGallery {
             return
         }
 
-        # Create context object
+        # Create context object using centralized configuration
+        $config = Get-PowerShellGalleryConfig
         $context = @{
             ID          = $Name
             Name        = $Name
             ApiKey      = $ApiKey
-            GalleryUrl  = 'https://www.powershellgallery.com'
-            ApiUrl      = 'https://www.powershellgallery.com/api/v2'
+            GalleryUrl  = $config.GalleryUrl
+            ApiUrl      = $config.ApiUrl
             ConnectedAt = Get-Date
         }
 
diff --git a/src/functions/public/Auth/Get-PowerShellGalleryAccessToken.ps1 b/src/functions/public/Auth/Get-PowerShellGalleryAccessToken.ps1
@@ -7,6 +7,10 @@ function Get-PowerShellGalleryAccessToken {
         Retrieves the PowerShell Gallery API key from the specified context.
         Returns as SecureString by default, or as plain text with -AsPlainText.
 
+        SECURITY NOTE: Using -AsPlainText exposes the API key in plain text in memory.
+        This should only be used when necessary for API calls, and the plain text
+        value should be cleared from memory as soon as possible after use.
+
         .EXAMPLE
         Get-PowerShellGalleryAccessToken
 
@@ -16,6 +20,7 @@ function Get-PowerShellGalleryAccessToken {
         Get-PowerShellGalleryAccessToken -Context 'MyAccount' -AsPlainText
 
         Gets the API key from 'MyAccount' context as plain text.
+        WARNING: This exposes the API key in plain text - use with caution.
     #>
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute(
         'PSAvoidUsingConvertToSecureStringWithPlainText', '',
diff --git a/src/functions/public/Auth/Test-PowerShellGalleryAccess.ps1 b/src/functions/public/Auth/Test-PowerShellGalleryAccess.ps1
@@ -62,8 +62,21 @@ function Test-PowerShellGalleryAccess {
         try {
             Write-Verbose 'Testing API connectivity...'
 
-            # Try to access the API root to validate connectivity
+            # Validate API URL is a PowerShell Gallery endpoint for security
             $apiUrl = $contextObj.ApiUrl
+            if ($apiUrl -notmatch '^https://.*powershellgallery\.com/') {
+                Write-Warning "API URL does not appear to be a PowerShell Gallery endpoint: $apiUrl"
+                $result = [PSCustomObject]@{
+                    Success     = $false
+                    Context     = $contextObj.Name
+                    ApiUrl      = $apiUrl
+                    TestedAt    = Get-Date
+                    Message     = 'API URL validation failed - not a PowerShell Gallery endpoint'
+                    ConnectedAt = $contextObj.ConnectedAt
+                }
+                return $result
+            }
+
             $headers = @{
                 'X-NuGet-ApiKey' = $apiKey
             }
