New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: protect against surreptitious lockfile changes #236
Conversation
A `poetry lock --no-update` command is added to all the workflows where `poetry` is used to install an environment from the lockfile. Doing so "refreshes" the lockfile and will remove any entries in the lockfile that are not actually dependencies of packages defined in the `pyproject.toml` file. It does not produce an error or non-zero return code when changes are made, but at least the lockfile will be in a better state before it gets used.
Arbitrary code execution can occur when building/installing packages from source distributions. This test guards against changes to the established/vetted build system. There may be legitimate times to change the build system requirements and/or backend, but those changes will be more apparent in code reviews since this test will also have to change. Changes to the values in the `pyproject.toml` file may be subtle and go unnoticed. In the worst case, it is possible for the values to be changed to malicious entries that seek to cause harm in CI systems.
Phylum OSS Supply Chain Risk Analysis - INCOMPLETEThe analysis contains 1 package(s) Phylum has not yet processed, |
Phylum OSS Supply Chain Risk Analysis - SUCCESSThe Phylum risk analysis is complete and has passed the active policy. |
Phylum OSS Supply Chain Risk Analysis - INCOMPLETEThe analysis contains 1 package(s) Phylum has not yet processed, |
Phylum OSS Supply Chain Risk Analysis - SUCCESSThe Phylum risk analysis is complete and has passed the active policy. |
This PR is meant to be merged...but only after some changes are made to the lockfile. It is being used to demonstrate an attack where the lockfile is updated surreptitiously and the changes are attempted to be approved through a PR, due to the way GitHub's
linguist
library hides/collapses known lockfiles.The real changes made here include:
poetry lock --no-update
command is added to all the workflows wherepoetry
is used to install an environment from the lockfilepyproject.toml
file