-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
poetry.lock hashes not checked when running poetry install #2422
Comments
It's a bit concerning that this issue has been open for nearly a year now. Is this something the core team is looking to address? |
It doesn't seem so. I opened a new MR here: python-poetry/poetry-core#113 Since the code moved into a different repo. |
Thanks for the pointer @FlorianLudwig! |
List of PRs related to this issue:
Can we merge one of the valid ones? Not checking the hashes in |
In particular python-poetry/poetry-core#159 + #3885 are meant to be fixed together from what I understand. The other PRs can be closed. |
I recommend we don't close anything until we manage to catch the eye of a maintainer. It looks like if anything we should make more noise about this. |
I very much agree we need to get something merged and released to address this. With recent supply chain attacks in the media, a number of enterprises are launching efforts to harden their build and release processes and hash checking is one of the key features they are looking for, an assume poetry provides. |
Anything upcoming soon? As per our security requirements its hard to justify losing hashes or shimming our poetry.lock to requirements.txt to keep them |
I am wanting to move to Poetry in production, but I would prefer to have hash checking before I do so. With global Data protection laws being stricter, I need to know that I am not vulnerable through my dependency management. |
Same here, this issue is the one big blocker that is preventing us from adopting poetry as our standard to manage Python projects. |
This issue was the primary reason why my company standardized on |
A CVE should be filed for this issue as it presents a supply chain attack vector that puts any poetry user relying on hash validations at risk of compromise. |
Hello everyone, unfortunately my knowledge about this part of code of poetry is to limited to review the existing PRs. I can see that this issue is serious for many people, so I pinged @sdispater and @abn directly to have a look on it. fin swimmer |
Throw a specific exception in the case of finding a matching name+version, but none of the digests for a link matching the `poetry.lock` metadata. Fixes Issue #2422 Co-authored-by: Nicolas Simonds <nisimond@cisco.com>
I confirm that with the latest |
I suspect this was not released in a formal release yet. It would be really good if we can have this included the next time a release is being cut. |
This fix is not yet included in the latest bugfix release (1.1.7). It would be great if it was included in the next one, as it's an important security issue. |
I made a PR to backport this fix to Poetry 1.1: #4420 |
I've just tested this using the gist in the description and the newly released poetry 1.1.9, and can confirm
Thanks @pietrodn @sdispater and everyone else involved! |
I haven't tested this yet but huge thanks for everyone involved in this! 🎉 |
This hash system is broken for me, we have an internal pypi repo and the one package we have installed from there, we the
Then when I try to run poetry install, I get:
|
@jowparks Do you have to use md5 instead of sha256? Is that even supported by pip? In any case, this seems unrelated to this (closed) issue. |
I don't do anything special for that package, I am fine with using sha256 and in fact the nexus pypi repo lists all the different hashes in the UI. The relevant sections of the
then we just run
which fails.
Also I will note that all the other dependencies (which are from public pypi) have |
This seems to be #4523 |
Downstream clients (e.g., poetry) appear to assume that the result of a Package.clone() will be a full-fidelity copy of the original. Use `copy.deepcopy` to clone the object, and ensure that this is the case. Resolves Issue python-poetry#2422 Co-authored-by: Nicolas Simonds <nisimond@cisco.com>
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I am on the latest Poetry version.
I have searched the issues of this repo and believe that this is not a duplicate.
If an exception occurs when executing a command, I executed it again in debug mode (
-vvv
option).OS version and name: Ubuntu Bionic (within Docker)
Poetry version: 1.0.5
Link of a Gist with the contents of your pyproject.toml file: https://gist.github.com/slai/9d0d442fe7e4f4ea04e8f658b675192a#file-poetry_no_hash_check-dockerfile-L22-L33
Issue
It appears that Poetry does not check the hashes of the packages in poetry.lock when installing packages using
poetry install
.The Dockerfile in this gist (https://gist.github.com/slai/9d0d442fe7e4f4ea04e8f658b675192a) demonstrates the issue. It runs
poetry lock
, mangles the hashes in poetry.lock, then runspoetry install
. This succeeds, with no errors.I would expect
poetry install
to fail in this case, or at least print a warning for packages where the hash does not match.The text was updated successfully, but these errors were encountered: