infrastructure/extensions-website
4
8
Fork 10
Code Issues 19 Pull Requests 2 Projects Releases Wiki Activity

File scanning: validate wheel digests against pypi.org #199

Merged
Oleg-Komarov merged 5 commits from validate-wheels into main 2024-07-11 10:45:24 +02:00
Conversation 0 Commits 5 Files Changed 6 +146 -31
Oleg-Komarov commented 2024-07-01 14:39:43 +02:00
Owner
Copy Link

This PR adds a new check to background file scans:
wheel digests are verified using PyPI json API
https://warehouse.pypa.io/api-reference/json.html

This check should flag uploads that try to ship wheels
that are not published on PyPI, a file is flagged when either

  • it contains a wheel that is not on PyPI:
    a combination of project name, version and platform tags is checked
  • at least one of the wheels that were found on PyPI has a mismatching sha256 digest

Although the fact that something is published on PyPI is not a guarantee
that the code is safe to load, this additional step should introduce at least
some barriers to uploading malicious code.

We can potentially improve on this further by e.g. integrating with
https://docs.virustotal.com/docs/api-overview

This PR adds a new check to background file scans: wheel digests are verified using PyPI json API https://warehouse.pypa.io/api-reference/json.html This check should flag uploads that try to ship wheels that are not published on PyPI, a file is flagged when either - it contains a wheel that is not on PyPI: a combination of project name, version and platform tags is checked - at least one of the wheels that were found on PyPI has a mismatching sha256 digest Although the fact that something is published on PyPI is not a guarantee that the code is safe to load, this additional step should introduce at least some barriers to uploading malicious code. We can potentially improve on this further by e.g. integrating with https://docs.virustotal.com/docs/api-overview
❤️ 1
Oleg-Komarov added 1 commit 2024-07-01 14:39:44 +02:00
Oleg-Komarov added 1 commit 2024-07-09 16:47:14 +02:00
Oleg-Komarov added 1 commit 2024-07-09 17:08:00 +02:00
Oleg-Komarov added 2 commits 2024-07-09 19:46:04 +02:00
Oleg-Komarov changed title from WIP: validate wheels to File scanning: validate wheel digests against pypi.org 2024-07-09 19:47:04 +02:00
Anna Sirota approved these changes 2024-07-11 10:30:54 +02:00
Anna Sirota left a comment
Owner
Copy Link

LGTM

LGTM
Oleg-Komarov merged commit c975e8cb95 into main 2024-07-11 10:45:24 +02:00
Oleg-Komarov deleted branch validate-wheels 2024-07-11 10:45:25 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Anna Sirota
Labels
Clear labels   
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Normal
The priority is medium

  
Reviewed
Confirmed
Issue has been confirmed

  
Reviewed
Duplicate
This issue or pull request already exists

  
Reviewed
Invalid
Invalid issue

  
Reviewed
Won't Fix
This issue won't be fixed

  
Status
Abandoned
Somebody has started to work on this but abandoned work

  
Status
Blocked
Something is blocking this issue or pull request

  
Status
Need More Info
Feedback is required to reproduce issue or to continue work

  
Type
Breaking
Breaking change that won't be backward compatible

  
Type
Documentation
Documentation changes

  
Type
Enhancement
Improve existing functionality

  
Type
Feature
New functionality

  
Type
Report
Something is not working

  
Type
Security
This is security issue

  
Type
Suggestion
New ideas and proposals

  
Type
Testing
Issue or pull request related to testing

No Label
Priority
Critical
Priority
High
Priority
Low
Priority
Normal
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
Type
Breaking
Type
Documentation
Type
Enhancement
Type
Feature
Type
Report
Type
Security
Type
Suggestion
Type
Testing
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: infrastructure/extensions-website#199
No description provided.
Delete Branch "validate-wheels"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?