Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport fix for mismatching hash check #193

Merged
merged 2 commits into from
Aug 26, 2021
Merged

Backport fix for mismatching hash check #193

merged 2 commits into from
Aug 26, 2021

Conversation

pietrodn
Copy link

Backport #159 to poetry-core 1.0 as this is part of an important security fix.

See python-poetry/poetry#3885 and python-poetry/poetry#2422

I think that this fix exposes a preexisting bug in Poetry where poetry install fails with the following:

$ ~/git/poetry/.venv/bin/poetry install
Creating virtualenv tmp in /Users/pietro/tmp/.venv
Installing dependencies from lock file

Package operations: 1 install, 0 updates, 0 removals

  • Installing attrs (21.2.0): Failed

  AttributeError

  'Link' object has no attribute 'is_absolute'

  at ~/git/poetry/.venv/lib/python3.9/site-packages/poetry/core/packages/file_dependency.py:34 in __init__
       30│         self._base = base or Path.cwd()
       31│         self._full_path = path
       32│
       33│         #raise ValueError(type(path))
    →  34│         if not self._path.is_absolute():
       35│             try:
       36│                 self._full_path = self._base.joinpath(self._path).resolve()
       37│             except FileNotFoundError:
       38│                 raise ValueError("Directory {} does not exist".format(self._path))

I think that there is an underlying bug where an object that should be a Path is actually a Link, and that is exposed by the fact that the Package.files attribute gets cloned, and not lost as of now in Poetry 1.1.8.

0xDEC0DE and others added 2 commits August 21, 2021 21:48
@0xDEC0DE @nisimond @pietrodn
Simplify/improve Package.clone() (#159)
e083646 
Downstream clients (e.g., poetry) appear to assume that the result
of a Package.clone() will be a full-fidelity copy of the original.

Use `copy.deepcopy` to clone the object, and ensure that this is
the case.

Resolves Issue #2422

Co-authored-by: Nicolas Simonds <nisimond@cisco.com>
@pietrodn
fix: adapt for 1.0 version
e612753
@pietrodn pietrodn mentioned this pull request Aug 21, 2021
Closed
@sdispater sdispater merged commit 52e543b into python-poetry:1.0 Aug 26, 2021
@pietrodn pietrodn deleted the fix/package-clone-backport branch August 26, 2021 17:48
This was referenced Aug 27, 2021
Merged
Merged
@sdispater sdispater mentioned this pull request Sep 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sdispater sdispater sdispater approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pietrodn @sdispater @0xDEC0DE