[NuGet.org Bug]: 400 Bad Request on Deprecate Request (extended-ASCII)

[felsokning]

Impact

It's more difficult to complete my work

Describe the bug

It appears that URI Data Escape (or URL Escape) is happening for extended-ASCII characters (e.g.: ö -- in this case) in NuGet package names, when they are selected for being marked as deprecated on the website. This can be seen in the id field of the payload that's being sent to nuget.org (see screenshot).

However, the alternatePackageId package name field is not escaped; which shows inconsistent behaviour - especially, if these fields are passed as URI parameters.

As a result, this causes a 400 Bad Request error, which manifests as An unknown error occurred when submitting the form. on the website.

Repro Steps

Steps to reproduce:

1. Create a NuGet package with extended-ASCII characters (e.g.: Möò).
2. Create a second NuGet package as a replacement for the first (e.g.: Møö)
3. Publish the NuGet package to NuGet.
4. Use the website to try to disable all versions of the package from step 1, noting the package in Step 2 as the replacement -- noting the name of the package in the id and alternatePackageId fields, after receiving the 400 Bad Request.

Expected Behavior

The request to deprecate all versions of the package should succeed.

Screenshots

Additional Context and logs

Below is the raw curl command generated by Edge to reproduce the issue:

curl 'https://www.nuget.org/json/deprecation/Deprecate' \
  -H 'Accept: application/json, text/javascript, */*; q=0.01' \
  -H 'Accept-Language: en-US,en;q=0.9,en-IE;q=0.8,sv;q=0.7' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Cookie: MSCC=cid=[REDACTED]; ARRAffinity=[REDACTED];ARRAffinitySameSite=[REDACTED]; ARRAffinity=[REDACTED]; ARRAffinitySameSite=[REDACTED]; __RequestVerificationToken=[REDACTED]; .AspNet.LocalUser=[REDACTED]; __Controller::TempData=' \
  -H 'Origin: https://www.nuget.org' \
  -H 'Referer: https://www.nuget.org/packages/Fels%C3%B6kning.Utilities.SvenskaUtilities/2.0.29/Manage' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.0.0' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'sec-ch-ua: "Microsoft Edge";v="123", "Not:A-Brand";v="8", "Chromium";v="123"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Windows"' \
  --data-raw $'id=Fels%26%23246%3Bkning.Utilities.SvenskaUtilities&versions%5B%5D=2.0.29&versions%5B%5D=2.0.28&versions%5B%5D=2.0.27&versions%5B%5D=2.0.26&versions%5B%5D=2.0.25&versions%5B%5D=2.0.23&versions%5B%5D=2.0.0&versions%5B%5D=1.2.2&versions%5B%5D=1.2.1&versions%5B%5D=1.2.0&versions%5B%5D=1.1.9&versions%5B%5D=1.1.8&versions%5B%5D=1.1.7&versions%5B%5D=1.1.6&versions%5B%5D=1.1.5&versions%5B%5D=1.1.4&versions%5B%5D=1.1.3&versions%5B%5D=1.0.0&isLegacy=true&hasCriticalBugs=false&isOther=false&alternatePackageId=Fels%C3%B6kning.Sverige&alternatePackageVersion=&customMessage=This+package+is+deprecated+and+hasn\'t+received+any+updates+in+almost+3+years.+Please+migrate+to+Fels%C3%B6kning+or+Fels%C3%B6kning.Sverige+for+the+same+features+with+supportability+on+current+versions+of+.NET.&__RequestVerificationToken=[REDACTED]'

[erdembayar]

@ryuyu Could you please just repro this issue? If yes then please let's know.

[ryuyu]

I was able to repro this issue in dev. I haven't dug too deep into root causing yet, but I can confirm that it is reliably reproducible using the steps provided.

[erdembayar]

I was able to repro this issue in dev. I haven't dug too deep into root causing yet, but I can confirm that it is reliably reproducible using the steps provided.

Thank you. I'll follow up about prioritization.

[joelverhagen]

Hey @felsokning, I have a workaround you can try, if you are interested. I am working on bringing https://github.com/NuGet/NuGetGallery/issues/8873 (an API to deprecate package) to a public preview. It's not there yet. But I can enable your user account for a private preview. It tried these extended-ASCII characters on the API and it appears to work just fine. I tried ö in the package ID, the alternate ID, and the message.

I've found your NuGet.org username as the owner of the package IDs mentioned in your error report and enabled this user account for the deprecation API.

The pre-release API docs are here: https://github.com/NuGet/docs.microsoft.com-nuget/blob/jver-deprapi/docs/api/package-publish-resource.md#deprecate-or-undeprecate-a-package

You can use PowerShell, cURL, or whatever HTTP client you want to submit the request.

I have a .NET tool I wrote (not release by the team, my own proof-of-concept) that you can try if you don't want to script it yourself. https://www.nuget.org/packages/Knapcode.PackageLifeCycle#readme-body-tab

You need an API key with the "unlist" scope.

I'd love to hear if you are successful with the API or if you have any feedback/ideas/suggestions. Feel free to post your feedback publicly on the deprecation API issue (https://github.com/NuGet/NuGetGallery/issues/8873) or email me directly jver [at] microsoft [dot] com (whichever you prefer).