New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allows to use files outside of the main directory in setup.cfg file #2701
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pretty sure that it's not a bug but a designed behavior. Even the test name says "sandbox". Referencing files outside the project is prone to errors and security bugs. I think, as a workaround, you could symlink it. Also, how do you include it in an sdist if it's outside?
All the information and my arguments are in the Issue #2699, but I'll try to resume in this comment.
In my point of view, say that take file outside the project is a security issue is relative. Because if I have the permissions to access to a root file via
This is the interesting part, if you review my code changes and description in the issue. It isn't copying the file into the project directory, it is copy the content and put in some place, in this case in the
As I mentioned in the created issue. I am able to fix using the
Do you get my point? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, how do you include it in a
sdist
if it's outside?This is the interesting part, if you review my code changes and description in the issue. It isn't copying the file into the project directory, it is copy the content and put in some place, in this case in the
PKG-INFO
file.
I think you may have missed the point. If your project loads its long_description from ../README
, then you build an sdist and ship that off to PyPI, and then I download the sdist and try to build it, it will fail to build because ../README doesn't exist.
What's worse, though, is if you use long_description = file:/etc/passwd
, and then you build an sdist and ship that off to your colleague who builds a wheel on their build server and installs that to their applications, now importlib.metadata.metadata('your-package')['Description']
will have the contents of /etc/passwd
for the build server.
I'm sorry, but it's not about security, but it's about having hermetic packages whose sources are transportable.
I think you may wish to update the error message for clarity, but I recommend to do that in a separate PR.
Directive is sandboxed and won't reach anything outside | ||
directory with setup.py. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change removes the intentional constraint to disallow loading from outside the project directory. This change will affect any config option that uses _parse_file
. If we wish to change the behavior here to be more lenient, we should at least enumerate the directives that might use this behavior. Is it only long_description
or are there others?
Summary of changes
This change allows to use the file outside the main directory. For example, in the file
setup.cfg
, sectionlong_description
the user can use an outside filefile: ../README.md
.Closes #2699
Pull Request Checklist
changelog.d/
.(See documentation for details)