Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[1.1] Ensure all hash types are checked #4529

Merged
merged 1 commit into from
Sep 21, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 23 additions & 9 deletions poetry/installation/executor.py
Original file line number Diff line number Diff line change
Expand Up @@ -608,16 +608,30 @@ def _download_link(self, operation, link):
archive = self._chef.prepare(archive)

if package.files:
archive_hash = (
"sha256:"
+ FileDependency(
package.name,
Path(archive.path) if isinstance(archive, Link) else archive,
).hash()
)
if archive_hash not in {f["hash"] for f in package.files}:
hashes = {f["hash"] for f in package.files}
hash_types = {h.split(":")[0] for h in hashes}
archive_hashes = set()
for hash_type in hash_types:
archive_hashes.add(
"{}:{}".format(
hash_type,
FileDependency(
package.name,
Path(archive.path)
if isinstance(archive, Link)
else archive,
).hash(hash_type),
)
)

if archive_hashes.isdisjoint(hashes):
raise RuntimeError(
"Invalid hash for {} using archive {}".format(package, archive.name)
"Invalid hashes ({}) for {} using archive {}. Expected one of {}.".format(

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this better than my single hash message.

", ".join(sorted(archive_hashes)),
package,
archive.name,
", ".join(sorted(hashes)),
)
)

return archive
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ classifiers = [
[tool.poetry.dependencies]
python = "~2.7 || ^3.5"

poetry-core = "~1.0.5"
poetry-core = "~1.0.6"
cleo = "^0.8.1"
clikit = "^0.6.2"
crashtest = { version = "^0.3.0", python = "^3.6" }
Expand Down
76 changes: 76 additions & 0 deletions tests/installation/test_executor.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@

from poetry.config.config import Config
from poetry.core.packages.package import Package
from poetry.core.packages.utils.link import Link
from poetry.installation.chef import Chef
from poetry.installation.executor import Executor
from poetry.installation.operations import Install
from poetry.installation.operations import Uninstall
Expand Down Expand Up @@ -251,3 +253,77 @@ def test_executor_should_delete_incomplete_downloads(
executor._download(Install(Package("tomlkit", "0.5.3")))

assert not destination_fixture.exists()


def test_executor_should_check_every_possible_hash_types(
config, io, pool, mocker, fixture_dir, tmp_dir
):
mocker.patch.object(
Chef, "get_cached_archive_for_link", side_effect=lambda link: link,
)
mocker.patch.object(
Executor,
"_download_archive",
return_value=fixture_dir("distributions").joinpath(
"demo-0.1.0-py2.py3-none-any.whl"
),
)

env = MockEnv(path=Path(tmp_dir))
executor = Executor(env, pool, config, io)

package = Package("demo", "0.1.0")
package.files = [
{
"file": "demo-0.1.0-py2.py3-none-any.whl",
"hash": "md5:15507846fd4299596661d0197bfb4f90",
}
]

archive = executor._download_link(
Install(package), Link("https://example.com/demo-0.1.0-py2.py3-none-any.whl")
)

assert archive == fixture_dir("distributions").joinpath(
"demo-0.1.0-py2.py3-none-any.whl"
)


def test_executor_should_check_every_possible_hash_types_before_failing(
config, io, pool, mocker, fixture_dir, tmp_dir
):
mocker.patch.object(
Chef, "get_cached_archive_for_link", side_effect=lambda link: link,
)
mocker.patch.object(
Executor,
"_download_archive",
return_value=fixture_dir("distributions").joinpath(
"demo-0.1.0-py2.py3-none-any.whl"
),
)

env = MockEnv(path=Path(tmp_dir))
executor = Executor(env, pool, config, io)

package = Package("demo", "0.1.0")
package.files = [
{"file": "demo-0.1.0-py2.py3-none-any.whl", "hash": "md5:123456"},
{"file": "demo-0.1.0-py2.py3-none-any.whl", "hash": "sha256:123456"},
]

expected_message = (
"Invalid hashes "
"("
"md5:15507846fd4299596661d0197bfb4f90, "
"sha256:70e704135718fffbcbf61ed1fc45933cfd86951a744b681000eaaa75da31f17a"
") "
"for demo (0.1.0) using archive demo-0.1.0-py2.py3-none-any.whl. "
"Expected one of md5:123456, sha256:123456."
)

with pytest.raises(RuntimeError, match=re.escape(expected_message)):
executor._download_link(
Install(package),
Link("https://example.com/demo-0.1.0-py2.py3-none-any.whl"),
)