Skip to content

Commit

Permalink
Merge pull request python-poetry#4420 from pietrodn/fix/hash-check-ba…
Browse files Browse the repository at this point in the history
…ckport-1.1

Backport security fix python-poetry#3885 for package hashes to 1.1
  • Loading branch information
sdispater authored Aug 27, 2021
2 parents 8268795 + d033cba commit 634bb23
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 0 deletions.
7 changes: 7 additions & 0 deletions poetry/installation/chooser.py
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,13 @@ def _get_links(self, package): # type: (Package) -> List[Link]

selected_links.append(link)

if links and not selected_links:
raise RuntimeError(
"Retrieved digest for link {}({}) not in poetry.lock metadata {}".format(
link.filename, h, hashes
)
)

return selected_links

def _sort_key(self, package, link): # type: (Package, Link) -> Tuple
Expand Down
29 changes: 29 additions & 0 deletions tests/installation/test_chooser.py
Original file line number Diff line number Diff line change
Expand Up @@ -195,3 +195,32 @@ def test_chooser_chooses_distributions_that_match_the_package_hashes(
link = chooser.choose_for(package)

assert "isort-4.3.4.tar.gz" == link.filename


@pytest.mark.parametrize("source_type", ["", "legacy"])
def test_chooser_throws_an_error_if_package_hashes_do_not_match(
env, mock_pypi, mock_legacy, source_type, pool,
):
chooser = Chooser(pool, env)

package = Package("isort", "4.3.4")
files = [
{
"hash": "sha256:0000000000000000000000000000000000000000000000000000000000000000",
"filename": "isort-4.3.4.tar.gz",
}
]
if source_type == "legacy":
package = Package(
package.name,
package.version.text,
source_type="legacy",
source_reference="foo",
source_url="https://foo.bar/simple/",
)

package.files = files

with pytest.raises(RuntimeError) as e:
chooser.choose_for(package)
assert files[0]["hash"] in str(e)

0 comments on commit 634bb23

Please sign in to comment.