uv icon indicating copy to clipboard operation
uv copied to clipboard

Published 20 hours ago verified publisher icon astral-sh

Add support for `--trusted-host`

Open charliermarsh opened this issue 1 year ago • 3 comments

Summary

This PR revives https://github.com/astral-sh/uv/pull/4944, which I think was a good start towards adding --trusted-host. Last night, I tried to add --trusted-host with a custom verifier, but we had to vendor a lot of reqwest code and I eventually hit some private APIs. I'm not confident that I can implement it correctly with that mechanism, and since this is security, correctness is the priority.

So, instead, we now use two clients and multiplex between them.

Closes https://github.com/astral-sh/uv/issues/1339.

Test Plan

Created self-signed certificate, and ran python3 -m http.server --bind 127.0.0.1 4443 --directory . --certfile cert.pem --keyfile key.pem from the packse index directory.

Verified that cargo run pip install transitive-yanked-and-unyanked-dependency-a-0abad3b6 --index-url https://127.0.0.1:8443/simple-html failed with:

error: Request failed after 3 retries
  Caused by: error sending request for url (https://127.0.0.1:8443/simple-html/transitive-yanked-and-unyanked-dependency-a-0abad3b6/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: Other(OtherError(CaUsedAsEndEntity))

Verified that cargo run pip install transitive-yanked-and-unyanked-dependency-a-0abad3b6 --index-url 'https://127.0.0.1:8443/simple-html' --trusted-host '127.0.0.1:8443' failed with the expected error (invalid resolution) and made valid requests.

Verified that cargo run pip install transitive-yanked-and-unyanked-dependency-a-0abad3b6 --index-url 'https://127.0.0.1:8443/simple-html' --trusted-host '127.0.0.2' -n also failed.

charliermarsh avatar Aug 24 '24 21:08 charliermarsh

Also might be helpful for #5726

zanieb avatar Aug 25 '24 00:08 zanieb

What happens if --trusted-host is supplied multiple times, is that taken into account? Or do the later override the first one?

Edit: I see the code allows a list, which if it's like pip it would be space-separated.

gaby avatar Aug 25 '24 00:08 gaby

You’re receiving notifications because you were mentioned.

Not sure why GitHub thinks I have a mention here... this seems fine to me, in case someone mentioned me for asking my opinion on the idea. :)

pradyunsg avatar Aug 26 '24 11:08 pradyunsg

You’re receiving notifications because you were mentioned.

Not sure why GitHub thinks I have a mention here... this seems fine to me, in case someone mentioned me for asking my opinion on the idea. :)

You were tagged here https://github.com/astral-sh/uv/pull/6591#discussion_r1730406532

graingert avatar Aug 27 '24 12:08 graingert

I seem to be getting some errors, eg.

[tool.uv]
allow-insecure-host = [
  "amazonaws.com",
]

warning: Failed to parse `pyproject.toml` during settings discovery:
  TOML parse error at line 93, column 1
     |
  93 | [tool.uv]
     | ^^^^^^^^^
  invalid type: string "amazonaws.com", expected struct TrustedHost

jonathanasdf avatar Aug 27 '24 19:08 jonathanasdf

Apologies, that's my bad. Can you open a separate issue? It should work on the command-line though.

charliermarsh avatar Aug 27 '24 19:08 charliermarsh

See: https://github.com/astral-sh/uv/pull/6716

charliermarsh avatar Aug 27 '24 19:08 charliermarsh