twine check fails when badges have a scale factor ...

[kif]

As reported in:
pypa/twine#1102
twine check fails when parsing the readme file contains badges. If one of the badge has a scale factor, the readme_renderer fails claiming it is not allowed to access to the internet.

[miketheman]

Please provide a concrete reference to a readme that contains the problematic behavior - it's unclear from the linked issue which conditions lead to the problem.

[bocklund]

From https://github.com/PhasesResearchLab/ESPEI

python -m readme_renderer -f rst README.rst (.txt extension added for the upload to GitHub to work)

Gives output:

<string>:37: (WARNING/2) Cannot scale image!
  Could not get size from "docs/_static/cu-mg-mcmc-phase-diagram.png":
  Reading external files disabled.

README.rst

[miketheman]

Thanks for the error message, that points out a warning from docutils.

We have disabled the ability to read external files, which prevents docutils from trying to load images to scale these. See:

readme_renderer/readme_renderer/rst.py

Lines 68 to 71 in 1d0497c

	# Prevent local files from being included into the rendered output.
	# This is a security concern because people can insert files
	# that are part of the system, such as /etc/passwd.
	"file_insertion_enabled": False,

I haven't looked too hard yet for what alternatives might be avilable, or if there's a way to only allow images, but now there's a reason.

[marscher]

This is actually a blocker to upload a new release for my project. Could this be non fatal maybe (as it used to be)? E.g. just do not render the image in that case. We just display a scaled logo in our readme. I think it is a fairly common use case.

Is the inclusion of external files considered a security risk?

I'd love to hear your opinion on that @miketheman, thank you.