From 4a96d3c55777515a7dc81e9f57d9bdd2af563a4c Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Thu, 3 Nov 2022 11:55:38 -0700
Subject: [PATCH] Return 404 when the null version is provided to the license
 endpoint (#9297)

Address https://github.com/NuGet/NuGetGallery/issues/9295
---
 .../Controllers/PackagesController.cs             |  5 +++++
 .../Controllers/PackagesControllerFacts.cs        | 15 +++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/NuGetGallery/Controllers/PackagesController.cs b/src/NuGetGallery/Controllers/PackagesController.cs
index 983845f133..08a0ac1015 100644
--- a/src/NuGetGallery/Controllers/PackagesController.cs
+++ b/src/NuGetGallery/Controllers/PackagesController.cs
@@ -1174,6 +1174,11 @@ public virtual ActionResult AtomFeed(string id, bool prerel = true)
         [HttpGet]
         public virtual async Task<ActionResult> License(string id, string version)
         {
+            if (version == null)
+            {
+                return HttpNotFound();
+            }
+
             var package = _packageService.FindPackageByIdAndVersionStrict(id, version);
             if (package == null || package.PackageStatusKey == PackageStatus.Deleted)
             {
diff --git a/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs b/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs
index 44ea19c9c2..b293c22d4c 100644
--- a/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs
+++ b/tests/NuGetGallery.Facts/Controllers/PackagesControllerFacts.cs
@@ -10071,6 +10071,21 @@ public async Task GivenInvalidPackageReturns404()
                 Assert.IsType<HttpNotFoundResult>(result);
             }
 
+            [Fact]
+            public async Task GivenNullVersionReturns404()
+            {
+                // arrange
+                var controller = CreateController(
+                    GetConfigurationService(),
+                    packageService: _packageService);
+
+                // act
+                var result = await controller.License(_packageId, version: null);
+
+                // assert
+                Assert.IsType<HttpNotFoundResult>(result);
+            }
+
             [Fact]
             public async Task GivenDeletedPackageReturns404()
             {