github
diff --git a/Diff for: ‎lib/start-proxy.js
+17-2 b/Diff for: ‎lib/start-proxy.js
+17-2
diff --git a/Diff for: ‎lib/start-proxy.js.map
+1-1 b/Diff for: ‎lib/start-proxy.js.map
+1-1
diff --git a/Diff for: ‎lib/start-proxy.test.js
+14 b/Diff for: ‎lib/start-proxy.test.js
+14
diff --git a/Diff for: ‎lib/start-proxy.test.js.map
+1-1 b/Diff for: ‎lib/start-proxy.test.js.map
+1-1
diff --git a/Diff for: ‎src/start-proxy.test.ts
+28 b/Diff for: ‎src/start-proxy.test.ts
+28
diff --git a/Diff for: ‎src/start-proxy.ts
+20-2 b/Diff for: ‎src/start-proxy.ts
+20-2
@@ -80,3 +80,31 @@ test("getCredentials returns all credentials when no language specified", async
   );
   t.is(credentials.length, 3);
 });
+
+test("getCredentials throws an error when non-printable characters are used", async (t) => {
+    const invalidCredentials = [
+      { type: "nuget_feed", host: "1nuget.pkg.github.com", token: "abc\u0000" }, // Non-printable character in token
+      { type: "nuget_feed", host: "2nuget.pkg.github.com\u0001" }, // Non-printable character in host
+      { type: "nuget_feed", host: "3nuget.pkg.github.com", password: "ghi\u0002" }, // Non-printable character in password
+      { type: "nuget_feed", host: "4nuget.pkg.github.com", password: "ghi\x00" }, // Non-printable character in password
+    ];
+
+    for (const invalidCredential of invalidCredentials) {
+      const credentialsInput = Buffer.from(
+        JSON.stringify([invalidCredential]),
+      ).toString("base64");
+
+      t.throws(
+        () =>
+          startProxyExports.getCredentials(
+            getRunnerLogger(true),
+            undefined,
+            credentialsInput,
+            undefined,
+          ),
+        {
+          message: "Invalid credentials - fields must contain only printable characters",
+        },
+      );
+    }
+  });
@@ -51,10 +51,19 @@ export function getCredentials(
   }
 
   // Parse and validate the credentials
-  const parsed = JSON.parse(credentialsStr) as Credential[];
-  const out: Credential[] = [];
+  let parsed: Credential[];
+  try {
+    parsed = JSON.parse(credentialsStr) as Credential[];
+  } catch (error) {
+    // Don't log the error since it might contain sensitive information.
+    logger.error("Failed to parse the credentials data.");
+    throw new Error("Invalid credentials format.");
+  }
+
+  let out: Credential[] = [];
   for (const e of parsed) {
     if (e.url === undefined && e.host === undefined) {
+      // The proxy needs one of these to work. If both are defined, the url has the precedence.
       throw new Error("Invalid credentials - must specify host or url");
     }
 
@@ -64,6 +73,15 @@ export function getCredentials(
       continue;
     }
 
+
+    const isPrintable = (str: string | undefined): boolean => {
+      return str ? /^[\x20-\x7E]*$/.test(str) : true;
+    };
+
+    if (!isPrintable(e.type) || !isPrintable(e.host) || !isPrintable(e.url) || !isPrintable(e.username) || !isPrintable(e.password) || !isPrintable(e.token)) {
+      throw new Error("Invalid credentials - fields must contain only printable characters");
+    }
+
     out.push({
       type: e.type,
       host: e.host,