-
Notifications
You must be signed in to change notification settings - Fork 956
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
GitHub, GitLab: improve claim matching during lookup (#16462)
* GitHub, GitLab: escape matchable characters during publisher lookup This fixes a constraint violation that users were previously able to induce by registering two similar-looking-but-not-exact Trusted Publishers. For example: ``` repo: foo/bar workflow: publish-pypi.yml ``` and: ``` repo: foo/bar workflow: publish_pypi.yml ``` Before this change, PyPI's publisher lookup would treat the `_` in `publish_pypi.yml` as a match expression, resulting in both publishers being matched when only exactly one publisher was expected to match. As a result, a user could configure two publishers in such a way that minting would *always* fail. To fix this, we replace our use of a raw `like` with a more constrained `startswith` *and* escape `_` and `%` when they appear in the workflow identifier being matched on. We would ideally do this using SQLAlchemy's `autoescape`, but `autoescape` only supports string clauses and not column clauses. Instead, we build up a somewhat verbose chain of escape replacements manually. Signed-off-by: William Woodruff <william@trailofbits.com> * github: replace obnoxious escaping with a regexp This avoids the need for a very slow text scan over an escaped column by using a regexp to extract the expected exact column match. This regexp is itself not the faster, but it's definitely faster than scanning an unindexed column in the middle of a query. Signed-off-by: William Woodruff <william@trailofbits.com> * replace escaping for GitLab too Signed-off-by: William Woodruff <william@trailofbits.com> * simplify assignments Signed-off-by: William Woodruff <william@trailofbits.com> * tests, warehouse: coverage, document regexps Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
- Loading branch information
Showing
4 changed files
with
329 additions
and
74 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.