installer icon indicating copy to clipboard operation
installer copied to clipboard
verified publisher icon pypa

Record validation fails on invalid hash algorithm names

Open dimbleby opened this issue 2 years ago • 0 comments

as encountered in the wild with swat 1.12.1 and reported at https://github.com/python-poetry/poetry/issues/7778 - RECORDS contains lines like

swat-1.12.1.dist-info/METADATA,sha=c2717134222c10492eaaea1040f6d2b1cd077054f1e7e4ea4f8b1cc48498282f,7737

which (among other things wrong with it) says sha where it means sha256.

Current behaviour is an uncaught ValueError from hashlib.new()

Here's a testcase:

    def test_rejects_record_containing_unknown_hash(self, fancy_wheel):
        with WheelFile.open(fancy_wheel) as source:
            record_file_contents = source.read_dist_info("RECORD")

        new_record_file_contents = record_file_contents.replace("sha256=", "sha=")
        replace_file_in_zip(
            fancy_wheel,
            filename="fancy-1.0.0.dist-info/RECORD",
            content=new_record_file_contents,
        )

        with WheelFile.open(fancy_wheel) as source:
            with pytest.raises(
                WheelFile.validation_error,
                match="RECORD file contains invalid hash algorithm `sha`",
            ):
                source.validate_record(validate_contents=True)

but it's not clear to me where would be the cleanest place to detect or catch this error so I have no fix to offer

Edit: changed my mind, #179

dimbleby avatar Apr 08 '23 19:04 dimbleby