Skip to content

Validate WHEEL file tags #19411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
konstin wants to merge 7 commits into
base: main
Choose a base branch
from
+226 −51
Open

Validate WHEEL file tags #19411

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a0ed3f2
Validate WHEEL file tags
konstin Jan 28, 2026
708826a
Improve coverage
konstin Jan 28, 2026
32f8aa7
Review
konstin Feb 7, 2026
6847c13
Reject non-UTF-8 WHEEL files
konstin Feb 7, 2026
39c0c52
Merge branch 'main' into konsti/validate-wheel-file-tags
konstin Feb 10, 2026
7b63bc8
Merge branch 'main' into konsti/validate-wheel-file-tags
konstin Feb 11, 2026
0ee6a6b
Use HeaderParser instead of Parser
konstin Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
181 changes: 144 additions & 37 deletions tests/unit/forklift/test_legacy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
from textwrap import dedent
from unittest import mock

import packaging
import pretend
import psycopg
import pytest
Expand Down Expand Up @@ -76,25 +77,40 @@ def _get_tar_testdata(compression_type=""):
return temp_f.getvalue()


def _get_whl_testdata(name="fake_package", version="1.0"):
def _format_tags(tags: str) -> bytes:
"""
Build a mock WHEEL file from the given tags.
"""
tags = packaging.tags.parse_tag(tags)
formatted = "Wheel-Version: 1.0\n" + "\n".join(f"Tag: {tag}" for tag in tags)
return formatted.encode("utf-8")


def _get_whl_testdata(
name="fake_package",
version="1.0",
tags: bytes | None = _format_tags("py3-none-any"),
):
temp_f = io.BytesIO()
with zipfile.ZipFile(file=temp_f, mode="w") as zfp:
zfp.writestr(f"{name}-{version}.dist-info/METADATA", "Fake metadata")
if tags:
zfp.writestr(f"{name}-{version}.dist-info/WHEEL", tags)
zfp.writestr(f"{name}-{version}.dist-info/licenses/LICENSE.MIT", "Fake License")
zfp.writestr(
f"{name}-{version}.dist-info/licenses/LICENSE.APACHE", "Fake License"
)
zfp.writestr(
f"{name}-{version}.dist-info/RECORD",
dedent(
f"""\
{name}-{version}.dist-info/METADATA,
{name}-{version}.dist-info/licenses/LICENSE.MIT,
{name}-{version}.dist-info/licenses/LICENSE.APACHE,
{name}-{version}.dist-info/RECORD,
""",
),
)
record = dedent(
f"""\
{name}-{version}.dist-info/METADATA,
{name}-{version}.dist-info/licenses/LICENSE.MIT,
{name}-{version}.dist-info/licenses/LICENSE.APACHE,
{name}-{version}.dist-info/RECORD,
""",
)
if tags:
record += f"{name}-{version}.dist-info/WHEEL,\n"
zfp.writestr(f"{name}-{version}.dist-info/RECORD", record)
return temp_f.getvalue()


Expand Down Expand Up @@ -349,37 +365,101 @@ def test_zipfile_exceeds_compression_threshold(self, tmpdir):
"File exceeds compression ratio of 50",
)

def test_wheel_no_wheel_file(self, tmpdir):
f = str(tmpdir.join("test-1.0-py3-none-any.whl"))

with zipfile.ZipFile(f, "w") as zfp:
zfp.writestr("something.txt", b"Just a placeholder file")
@pytest.mark.parametrize(
("tags_filename", "tags_file", "error"),
[
(
"py3-none-macosx_11_0_arm64",
b"Tag: py3-none-macosx_13_0_arm64",
"Wheel filename and WHEEL file tags mismatch: "
+ "'py3-none-macosx_11_0_arm64' vs. 'py3-none-macosx_13_0_arm64'",
),
(
"py2-none-any",
b"Tag: py2-none-any\nTag: py3-none-any",
"WHEEL file has tags not in wheel filename: 'py3-none-any'",
),
(
"py2.py3-none-any",
b"Tag: py3-none-any",
"Wheel filename has tags not in WHEEL file: 'py2-none-any'",
),
(
"py2.py3-none-any",
b"Tag: py2.py3-none-any",
"Tags in WHEEL file must be expanded, not compressed: "
+ "'py2.py3-none-any'",
),
(
"py3-none-macosx_11_0_arm64",
b"\xff\x00\xff",
"WHEEL file is not UTF-8 encoded",
),
(
"py3-none-macosx_11_0_arm64",
None,
"WHEEL not found at <NAME>-1.0.dist-info/WHEEL",
),
],
)
def test_upload_wheel_tag_mismatches(
self,
pyramid_config,
db_request,
tags_filename,
tags_file,
error,
):
user = UserFactory.create()
EmailFactory.create(user=user)
project = ProjectFactory.create()
release = ReleaseFactory.create(project=project, version="1.0")
RoleFactory.create(user=user, project=project)

assert legacy._is_valid_dist_file(f, "bdist_wheel") == (
False,
"WHEEL not found at test-1.0.dist-info/WHEEL",
name = project.normalized_name.replace("-", "_")
filename = f"{name}-{release.version}-{tags_filename}.whl"
data = _get_whl_testdata(
name=name,
version="1.0",
tags=tags_file,
)
digest = hashlib.md5(data).hexdigest()

def test_wheel_has_wheel_file(self, tmpdir):
f = str(tmpdir.join("test-1.0-py3-none-any.whl"))

with zipfile.ZipFile(f, "w") as zfp:
zfp.writestr("something.txt", b"Just a placeholder file")
zfp.writestr("test-1.0.dist-info/WHEEL", b"this is the package info")
pyramid_config.testing_securitypolicy(identity=user)
db_request.user = user
db_request.user_agent = "warehouse-tests/6.6.6"
db_request.POST = MultiDict(
{
"metadata_version": "2.4",
"name": project.name,
"version": "1.0",
"summary": "This is my summary!",
"filetype": "bdist_wheel",
"md5_digest": digest,
"content": pretend.stub(
filename=filename,
file=io.BytesIO(data),
type="application/zip",
),
}
)
db_request.POST.extend([("pyversion", "py3")])

assert legacy._is_valid_dist_file(f, "bdist_wheel") == (True, None)
storage_service = pretend.stub(store=lambda path, filepath, meta: None)
db_request.find_service = lambda svc, name=None, context=None: {
IFileStorage: storage_service,
}.get(svc)

def test_invalid_wheel_filename(self, tmpdir):
f = str(tmpdir.join("cheese.whl"))
with pytest.raises(HTTPBadRequest) as excinfo:
legacy.file_upload(db_request)

with zipfile.ZipFile(f, "w") as zfp:
zfp.writestr("something.txt", b"Just a placeholder file")
zfp.writestr("test-1.0.dist-info/WHEEL", b"this is the package info")
resp = excinfo.value

assert legacy._is_valid_dist_file(f, "bdist_wheel") == (
False,
"Unable to parse name and version from wheel filename",
assert resp.status_code == 400
rendered_error = f"400 Invalid distribution file. {error}".replace(
"<NAME>", name
)
assert resp.status == rendered_error

def test_incorrect_number_of_top_level_directories_sdist_tar(self, tmpdir):
tar_fn = str(tmpdir.join("test.tar.gz"))
Expand Down Expand Up @@ -2875,7 +2955,9 @@ def test_upload_succeeds_with_wheel(
project.normalized_name.replace("-", "_"), release.version, plat
)
filebody = _get_whl_testdata(
name=project.normalized_name.replace("-", "_"), version=release.version
name=project.normalized_name.replace("-", "_"),
version=release.version,
tags=_format_tags(f"cp34-none-{plat}"),
)
filestoragehash = _storage_hash(filebody)

Expand Down Expand Up @@ -3225,7 +3307,9 @@ def test_upload_succeeds_with_wheel_after_sdist(
release.version,
)
filebody = _get_whl_testdata(
name=project.normalized_name.replace("-", "_"), version=release.version
name=project.normalized_name.replace("-", "_"),
version=release.version,
tags=_format_tags("cp34-none-any"),
)
filestoragehash = _storage_hash(filebody)

Expand Down Expand Up @@ -3524,6 +3608,10 @@ def test_upload_warns_with_mismatched_wheel_and_zip_contents(
with zipfile.ZipFile(file=temp_f, mode="w") as zfp:
zfp.writestr("some_file", "some_data")
zfp.writestr(f"{project_name}-{release.version}.dist-info/METADATA", "")
zfp.writestr(
f"{project_name}-{release.version}.dist-info/WHEEL",
"Tag: cp34-none-any",
)
zfp.writestr(
f"{project_name}-{release.version}.dist-info/RECORD",
f"{project_name}-{release.version}.dist-info/RECORD,",
Expand Down Expand Up @@ -3599,11 +3687,16 @@ def test_upload_record_does_not_warn_with_zip_dir(
zfp.mkdir(f"{project_name}-{release.version}.dist-info/")

zfp.writestr(f"{project_name}-{release.version}.dist-info/METADATA", "")
zfp.writestr(
f"{project_name}-{release.version}.dist-info/WHEEL",
"Tag: cp34-none-any",
)
zfp.writestr(
f"{project_name}-{release.version}.dist-info/RECORD",
dedent(
f"""\
{project_name}-{release.version}.dist-info/METADATA,
{project_name}-{release.version}.dist-info/WHEEL,
{project_name}-{release.version}.dist-info/RECORD,
""",
),
Expand Down Expand Up @@ -3669,11 +3762,16 @@ def test_upload_record_does_not_warn_windows_path_separators(
project_name = project.normalized_name.replace("-", "_")
with zipfile.ZipFile(file=temp_f, mode="w") as zfp:
zfp.writestr(f"{project_name}-{release.version}.dist-info/METADATA", "")
zfp.writestr(
f"{project_name}-{release.version}.dist-info/WHEEL",
"Tag: cp34-none-any",
)
zfp.writestr(
f"{project_name}-{release.version}.dist-info/RECORD",
dedent(
f"""\
{project_name}-{release.version}.dist-info\\METADATA,
{project_name}-{release.version}.dist-info\\WHEEL,
{project_name}-{release.version}.dist-info\\RECORD,
""",
),
Expand Down Expand Up @@ -3744,6 +3842,10 @@ def test_upload_record_check_does_not_include_jws_p7s(
zfp.mkdir(f"{project_name}-{release.version}.dist-info/")

zfp.writestr(f"{project_name}-{release.version}.dist-info/METADATA", "")
zfp.writestr(
f"{project_name}-{release.version}.dist-info/WHEEL",
"Tag: cp34-none-any",
)
zfp.writestr(
f"{project_name}-{release.version}.dist-info/{exempt_filename}", ""
)
Expand All @@ -3752,6 +3854,7 @@ def test_upload_record_check_does_not_include_jws_p7s(
dedent(
f"""\
{project_name}-{release.version}.dist-info/METADATA,
{project_name}-{release.version}.dist-info/WHEEL,
{project_name}-{release.version}.dist-info/RECORD,
""",
),
Expand Down Expand Up @@ -3818,6 +3921,10 @@ def test_upload_record_check_exclusions_only_in_dist_info(
with zipfile.ZipFile(file=temp_f, mode="w") as zfp:
zfp.writestr("some_file", "some_data")
zfp.writestr(f"{project_name}-{release.version}.dist-info/METADATA", "")
zfp.writestr(
f"{project_name}-{release.version}.dist-info/WHEEL",
"Tag: cp34-none-any",
)
zfp.writestr(f"not-dist-info/{exempt_filename}", "")
zfp.writestr(
f"{project_name}-{release.version}.dist-info/RECORD",
Expand Down
Loading
Loading