Credentials from configured source used for a non-configured source when the URL is similar

[gep13]

Checklist

• I confirm there are no unresolved issues reported on the Chocolatey Status page.
• I have verified this is the correct repository for opening this issue.
• I have verified no other issues exist related to my problem.
• I have verified this is not an issue for a specific package.
• I have verified this issue is not security related.
• I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

When performing package operations against a source, Chocolatey CLI may choose to use credentials stored against a different source.

What is Expected?

If credentials are not provided, Chocolatey CLI should not use credentials stored against a different source.

How Did You Get This To Happen?

1. Install Chocolatey on a machine
   Set-ExecutionPolicy Unrestricted Process -Force; irm https://ch0.co/go | iex
2. Install Sonatype Nexus Repository ('Nexus') on a machine (note: also installing NexuShell)
   choco install nexus-repository nexushell --confirm
   a. Log in to Nexus
   Connect-NexusServer -Hostname LocalHost -Credential ([PSCredential]::new('admin', (Get-Content C:\ProgramData\sonatype-work\nexus3\admin.password | ConvertTo-SecureString -Force -AsPlainText)))
   b. Create ChocolateyInternal NuGet repository
   New-NexusRepository -Name ChocolateyInternal -Format nuget -Type hosted -DeploymentPolicy Allow
   c. Create AdminOnly NuGet repository
   New-NexusRepository -Name AdminOnly -Format nuget -Type hosted -DeploymentPolicy Allow
   d. Push a package to the AdminOnly repository
   $ApiKey = (Get-NexusNuGetApiKey -Credential ([PSCredential]::new('admin', (Get-Content C:\ProgramData\sonatype-work\nexus3\admin.password | ConvertTo-SecureString -Force -AsPlainText)))).apiKey; choco push $env:ChocolateyInstall\lib\nexus-repository\nexus-repository.nupkg --source http://localhost:8081/repository/adminOnly/ --api-key="$ApiKey"
   e. Turn off anonymous access (last, because otherwise you can't push the package)
   Set-NexusAnonymousAuth -Disabled
3. Add the ChocolateyInternal repository to the Chocolatey install, including the valid username and password you are using for Nexus.
   choco source add -n=ChocoInternal --source=http://localhost:8081/repository/ChocolateyInternal/ -U=admin -P="$(Get-Content C:\ProgramData\sonatype-work\nexus3\admin.password)"
4. choco search --source $AdminOnlyFeedUrl, where the AdminOnlyFeedUrl is the URL of the AdminOnly repository on Nexus, without specifying credentials.
   choco search --source http://localhost:8081/repository/adminOnly/

At the end of the configuration, the server should be configured as follows:

• Nexus installed
• Anonymous authentication turned off, an account ready to be used
• Two sources created
• A package pushed to AdminOnly
• The ChocolateyInternal authenticated source added to Chocolatey CLI
• The AdminOnly source not added to Chocolatey CLI

System Details

• Operating System: Windows Server 2022
• Windows PowerShell Version: 5.1.20348.2849
• Chocolatey CLI Version: 2.4.0
• Chocolatey Licensed Extension version: 6.2.1 (but seemingly N/A)
• Chocolatey License type (Professional / Business / ?): Business
• Terminal/Emulator: bare PowerShell.exe

Installed Packages

N/A

Output Log

See [GitLab issue](https://gitlab.com/chocolatey/solutions/support-issues/-/issues/107).

Additional Context

• Zendesk Ticket

[gep13]

NOTE: This is a backported security issue, which is related to this issue, which is set to ship as part of Chocolatey CLI 2.4.1