From f371ab83ab59260eb5af8699d5c986e0b732278b Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 6 Nov 2024 17:38:02 -0500 Subject: [PATCH 1/3] fix handling of zip sdists These should be treated like tarball sdists, but were rejected incorrectly. Signed-off-by: William Woodruff --- CHANGELOG.md | 10 +++++++++- src/pypi_attestations/_impl.py | 9 ++++++--- test/test_impl.py | 12 ++++++++++++ 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f248217..bcedd8a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.0.14] + +### Fixed + +- The `Distribution` API now handles ZIP source distributions + (those ending with `.zip`) instead of rejecting them as invalid. + ## [0.0.13] ### Changed @@ -155,7 +162,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Initial implementation -[Unreleased]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.13...HEAD +[Unreleased]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.14...HEAD +[0.0.14]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.13...v0.0.14 [0.0.13]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.12...v0.0.13 [0.0.12]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.11...v0.0.12 [0.0.11]: https://github.com/trailofbits/pypi-attestation-models/compare/v0.0.10...v0.0.11 diff --git a/src/pypi_attestations/_impl.py b/src/pypi_attestations/_impl.py index ad93a46..0f6355c 100644 --- a/src/pypi_attestations/_impl.py +++ b/src/pypi_attestations/_impl.py @@ -374,12 +374,15 @@ def _ultranormalize_dist_filename(dist: str) -> str: parts = "-".join([name, str(ver), impl_tag, abi_tag, platform_tag]) return f"{parts}.whl" - - elif dist.endswith(".tar.gz"): + elif dist.endswith((".tar.gz", ".zip")): # `parse_sdist_filename` raises a supertype of ValueError on failure. name, ver = parse_sdist_filename(dist) name = name.replace("-", "_") - return f"{name}-{ver}.tar.gz" + + if dist.endswith(".tar.gz"): + return f"{name}-{ver}.tar.gz" + else: + return f"{name}-{ver}.zip" else: raise ValueError(f"unknown distribution format: {dist}") diff --git a/test/test_impl.py b/test/test_impl.py index 109d5bc..1907a9f 100644 --- a/test/test_impl.py +++ b/test/test_impl.py @@ -457,10 +457,14 @@ def test_exception_types(self) -> None: ("foo-1.0-py3-none.none.none-any.whl", "foo-1.0-py3-none-any.whl"), # sdist: fully normalized, no changes ("foo-1.0.tar.gz", "foo-1.0.tar.gz"), + ("foo-1.0.zip", "foo-1.0.zip"), # sdist: dist name is not case normalized ("Foo-1.0.tar.gz", "foo-1.0.tar.gz"), ("FOO-1.0.tar.gz", "foo-1.0.tar.gz"), ("FoO-1.0.tar.gz", "foo-1.0.tar.gz"), + ("Foo-1.0.zip", "foo-1.0.zip"), + ("FOO-1.0.zip", "foo-1.0.zip"), + ("FoO-1.0.zip", "foo-1.0.zip"), # sdist: dist name contains alternate separators, including # `-` despite being forbidden by PEP 625 ("foo-bar-1.0.tar.gz", "foo_bar-1.0.tar.gz"), @@ -469,9 +473,17 @@ def test_exception_types(self) -> None: ("foo.bar-1.0.tar.gz", "foo_bar-1.0.tar.gz"), ("foo..bar-1.0.tar.gz", "foo_bar-1.0.tar.gz"), ("foo.bar.baz-1.0.tar.gz", "foo_bar_baz-1.0.tar.gz"), + ("foo-bar-1.0.zip", "foo_bar-1.0.zip"), + ("foo-bar-baz-1.0.zip", "foo_bar_baz-1.0.zip"), + ("foo--bar-1.0.zip", "foo_bar-1.0.zip"), + ("foo.bar-1.0.zip", "foo_bar-1.0.zip"), + ("foo..bar-1.0.zip", "foo_bar-1.0.zip"), + ("foo.bar.baz-1.0.zip", "foo_bar_baz-1.0.zip"), # sdist: dist version is not normalized ("foo-1.0beta1.tar.gz", "foo-1.0b1.tar.gz"), ("foo-01.0beta1.tar.gz", "foo-1.0b1.tar.gz"), + ("foo-1.0beta1.zip", "foo-1.0b1.zip"), + ("foo-01.0beta1.zip", "foo-1.0b1.zip"), ], ) def test_ultranormalize_dist_filename(input: str, normalized: str) -> None: From aead0faf99ae25230839e59ff6c2cf2b5ac50ae2 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 6 Nov 2024 17:38:48 -0500 Subject: [PATCH 2/3] CHANGELOG: add #68 Signed-off-by: William Woodruff --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bcedd8a..c7aef2c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - The `Distribution` API now handles ZIP source distributions - (those ending with `.zip`) instead of rejecting them as invalid. + (those ending with `.zip`) instead of rejecting them as invalid + ([#68](https://github.com/trailofbits/pypi-attestations/pull/68)) ## [0.0.13] From 5161b7f2bb9ae1cdee629f317cfa4400c44399e0 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 6 Nov 2024 17:42:27 -0500 Subject: [PATCH 3/3] test_impl: invalid cases as well Signed-off-by: William Woodruff --- test/test_impl.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/test_impl.py b/test/test_impl.py index 1907a9f..745f244 100644 --- a/test/test_impl.py +++ b/test/test_impl.py @@ -501,6 +501,7 @@ def test_ultranormalize_dist_filename(input: str, normalized: str) -> None: "foo", # suffixes must be lowercase "foo-1.0.TAR.GZ", + "foo-1.0.ZIP", "foo-1.0-py3-none-any.WHL", # wheel: invalid separator in dist name "foo-bar-1.0-py3-none-any.whl", @@ -511,6 +512,13 @@ def test_ultranormalize_dist_filename(input: str, normalized: str) -> None: # sdist: invalid version "foo-charmander.tar.gz", "foo-1charmander.tar.gz", + "foo-charmander.zip", + "foo-1charmander.zip", + # sdist: nonsense suffixes + "foo-1.2.3.junk.zip", + "foo-1.2.3.junk.tar.gz", + "foo-1.2.3.zip.tar.gz", + "foo-1.2.3.tar.gz.zip", ], ) def test_ultranormalize_dist_filename_invalid(input: str) -> None: