From 5845366d9ae8c5d92e9e11c02a5edc5ff7652502 Mon Sep 17 00:00:00 2001 From: dm Date: Fri, 22 Nov 2024 18:04:20 +0100 Subject: [PATCH] Fix URL verification for GitHub/GitLab (#17154) --- tests/unit/oidc/models/test_github.py | 22 +++++++++++++++++++--- tests/unit/oidc/models/test_gitlab.py | 12 ++++++++++++ warehouse/oidc/models/github.py | 5 ++++- warehouse/oidc/models/gitlab.py | 4 +++- 4 files changed, 38 insertions(+), 5 deletions(-) diff --git a/tests/unit/oidc/models/test_github.py b/tests/unit/oidc/models/test_github.py index fa08b4da70d8..a0992d057f21 100644 --- a/tests/unit/oidc/models/test_github.py +++ b/tests/unit/oidc/models/test_github.py @@ -624,6 +624,20 @@ def test_github_publisher_duplicates_cant_be_created(self, db_request): with pytest.raises(sqlalchemy.exc.IntegrityError): db_request.db.commit() + @pytest.mark.parametrize( + "repository_name", + [ + "repository_name", + "Repository_Name", + ], + ) + @pytest.mark.parametrize( + "repository_owner", + [ + "repository_owner", + "Repository_Owner", + ], + ) @pytest.mark.parametrize( ("url", "expected"), [ @@ -640,10 +654,12 @@ def test_github_publisher_duplicates_cant_be_created(self, db_request): ("https://repository_owner.github.io/RePoSiToRy_NaMe/subpage", True), ], ) - def test_github_publisher_verify_url(self, url, expected): + def test_github_publisher_verify_url( + self, url, expected, repository_name, repository_owner + ): publisher = github.GitHubPublisher( - repository_name="repository_name", - repository_owner="repository_owner", + repository_name=repository_name, + repository_owner=repository_owner, repository_owner_id="666", workflow_filename="workflow_filename.yml", environment="", diff --git a/tests/unit/oidc/models/test_gitlab.py b/tests/unit/oidc/models/test_gitlab.py index ca427789c4e9..15f9800494bc 100644 --- a/tests/unit/oidc/models/test_gitlab.py +++ b/tests/unit/oidc/models/test_gitlab.py @@ -614,6 +614,18 @@ def test_gitlab_publisher_duplicates_cant_be_created(self, db_request): f"https://gitlab.com/{NAMESPACE}/{PROJECT_NAME}.git", True, ), + ( + "Project_Name", + NAMESPACE, + f"https://gitlab.com/{NAMESPACE}/{PROJECT_NAME}.git", + True, + ), + ( + PROJECT_NAME, + "Project_Owner", + f"https://gitlab.com/{NAMESPACE}/{PROJECT_NAME}.git", + True, + ), ( PROJECT_NAME, NAMESPACE, diff --git a/warehouse/oidc/models/github.py b/warehouse/oidc/models/github.py index 51436d9c517a..5822ef07adc7 100644 --- a/warehouse/oidc/models/github.py +++ b/warehouse/oidc/models/github.py @@ -337,7 +337,10 @@ def verify_url(self, url: str): break url_for_generic_check = url.removesuffix("/").removesuffix(".git") - if super().verify_url(url_for_generic_check): + if verify_url_from_reference( + reference_url=self.publisher_base_url.lower(), + url=url_for_generic_check, + ): return True return verify_url_from_reference(reference_url=docs_url, url=url) diff --git a/warehouse/oidc/models/gitlab.py b/warehouse/oidc/models/gitlab.py index 22b4e58fe676..6b63c3619201 100644 --- a/warehouse/oidc/models/gitlab.py +++ b/warehouse/oidc/models/gitlab.py @@ -331,7 +331,9 @@ def verify_url(self, url: str): url = lowercase_base_url + url[len(lowercase_base_url) :] url_for_generic_check = url.removesuffix("/").removesuffix(".git") - if super().verify_url(url_for_generic_check): + if verify_url_from_reference( + reference_url=lowercase_base_url, url=url_for_generic_check + ): return True try: