Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.1] Ensure all hash types are checked #4529

Merged
merged 1 commit into from
Sep 21, 2021
Merged

[1.1] Ensure all hash types are checked #4529

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 7 additions & 7 deletions poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 23 additions & 9 deletions poetry/installation/executor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -608,16 +608,30 @@ def _download_link(self, operation, link):
archive = self._chef.prepare(archive)

if package.files:
archive_hash = (
"sha256:"
+ FileDependency(
package.name,
Path(archive.path) if isinstance(archive, Link) else archive,
).hash()
)
if archive_hash not in {f["hash"] for f in package.files}:
hashes = {f["hash"] for f in package.files}
hash_types = {h.split(":")[0] for h in hashes}
archive_hashes = set()
for hash_type in hash_types:
archive_hashes.add(
"{}:{}".format(
hash_type,
FileDependency(
package.name,
Path(archive.path)
if isinstance(archive, Link)
else archive,
).hash(hash_type),
)
)

if archive_hashes.isdisjoint(hashes):
raise RuntimeError(
"Invalid hash for {} using archive {}".format(package, archive.name)
"Invalid hashes ({}) for {} using archive {}. Expected one of {}.".format(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this better than my single hash message.

", ".join(sorted(archive_hashes)),
package,
archive.name,
", ".join(sorted(hashes)),
)
)

return archive
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ classifiers = [
[tool.poetry.dependencies]
python = "~2.7 || ^3.5"

poetry-core = "~1.0.5"
poetry-core = "~1.0.6"
cleo = "^0.8.1"
clikit = "^0.6.2"
crashtest = { version = "^0.3.0", python = "^3.6" }
Expand Down
76 changes: 76 additions & 0 deletions tests/installation/test_executor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@

from poetry.config.config import Config
from poetry.core.packages.package import Package
from poetry.core.packages.utils.link import Link
from poetry.installation.chef import Chef
from poetry.installation.executor import Executor
from poetry.installation.operations import Install
from poetry.installation.operations import Uninstall
Expand Down Expand Up @@ -251,3 +253,77 @@ def test_executor_should_delete_incomplete_downloads(
executor._download(Install(Package("tomlkit", "0.5.3")))

assert not destination_fixture.exists()


def test_executor_should_check_every_possible_hash_types(
config, io, pool, mocker, fixture_dir, tmp_dir
):
mocker.patch.object(
Chef, "get_cached_archive_for_link", side_effect=lambda link: link,
)
mocker.patch.object(
Executor,
"_download_archive",
return_value=fixture_dir("distributions").joinpath(
"demo-0.1.0-py2.py3-none-any.whl"
),
)

env = MockEnv(path=Path(tmp_dir))
executor = Executor(env, pool, config, io)

package = Package("demo", "0.1.0")
package.files = [
{
"file": "demo-0.1.0-py2.py3-none-any.whl",
"hash": "md5:15507846fd4299596661d0197bfb4f90",
}
]

archive = executor._download_link(
Install(package), Link("https://example.com/demo-0.1.0-py2.py3-none-any.whl")
)

assert archive == fixture_dir("distributions").joinpath(
"demo-0.1.0-py2.py3-none-any.whl"
)


def test_executor_should_check_every_possible_hash_types_before_failing(
config, io, pool, mocker, fixture_dir, tmp_dir
):
mocker.patch.object(
Chef, "get_cached_archive_for_link", side_effect=lambda link: link,
)
mocker.patch.object(
Executor,
"_download_archive",
return_value=fixture_dir("distributions").joinpath(
"demo-0.1.0-py2.py3-none-any.whl"
),
)

env = MockEnv(path=Path(tmp_dir))
executor = Executor(env, pool, config, io)

package = Package("demo", "0.1.0")
package.files = [
{"file": "demo-0.1.0-py2.py3-none-any.whl", "hash": "md5:123456"},
{"file": "demo-0.1.0-py2.py3-none-any.whl", "hash": "sha256:123456"},
]

expected_message = (
"Invalid hashes "
"("
"md5:15507846fd4299596661d0197bfb4f90, "
"sha256:70e704135718fffbcbf61ed1fc45933cfd86951a744b681000eaaa75da31f17a"
") "
"for demo (0.1.0) using archive demo-0.1.0-py2.py3-none-any.whl. "
"Expected one of md5:123456, sha256:123456."
)

with pytest.raises(RuntimeError, match=re.escape(expected_message)):
executor._download_link(
Install(package),
Link("https://example.com/demo-0.1.0-py2.py3-none-any.whl"),
)