audit: disallow github.com/org/repo/pull/n/commits/hash.patch?full_index=1
This commit is contained in:
parent
d079aaa083
commit
a9eda38bc7
@ -421,6 +421,10 @@ def _check_patch_urls(pkgs, error_cls):
|
|||||||
r"^https?://(?:patch-diff\.)?github(?:usercontent)?\.com/"
|
r"^https?://(?:patch-diff\.)?github(?:usercontent)?\.com/"
|
||||||
r".+/.+/(?:commit|pull)/[a-fA-F0-9]+\.(?:patch|diff)"
|
r".+/.+/(?:commit|pull)/[a-fA-F0-9]+\.(?:patch|diff)"
|
||||||
)
|
)
|
||||||
|
github_unstable_pull_commits_re = (
|
||||||
|
r"^https?://(?:patch-diff\.)?github(?:usercontent)?\.com/"
|
||||||
|
r".+/.+/pull/\d+/commits/[a-fA-F0-9]+\.(?:patch|diff)"
|
||||||
|
)
|
||||||
# Only .diff URLs have stable/full hashes:
|
# Only .diff URLs have stable/full hashes:
|
||||||
# https://forum.gitlab.com/t/patches-with-full-index/29313
|
# https://forum.gitlab.com/t/patches-with-full-index/29313
|
||||||
gitlab_patch_url_re = (
|
gitlab_patch_url_re = (
|
||||||
@ -436,14 +440,19 @@ def _check_patch_urls(pkgs, error_cls):
|
|||||||
if not isinstance(patch, spack.patch.UrlPatch):
|
if not isinstance(patch, spack.patch.UrlPatch):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if re.match(github_patch_url_re, patch.url):
|
if re.match(github_unstable_pull_commits_re, patch.url):
|
||||||
|
errors.append(
|
||||||
|
error_cls(
|
||||||
|
f"patch URL in package {pkg_cls.name} must not be a pull request commit",
|
||||||
|
[patch.url],
|
||||||
|
)
|
||||||
|
)
|
||||||
|
elif re.match(github_patch_url_re, patch.url):
|
||||||
full_index_arg = "?full_index=1"
|
full_index_arg = "?full_index=1"
|
||||||
if not patch.url.endswith(full_index_arg):
|
if not patch.url.endswith(full_index_arg):
|
||||||
errors.append(
|
errors.append(
|
||||||
error_cls(
|
error_cls(
|
||||||
"patch URL in package {0} must end with {1}".format(
|
f"patch URL in package {pkg_cls.name} must end with {full_index_arg}",
|
||||||
pkg_cls.name, full_index_arg
|
|
||||||
),
|
|
||||||
[patch.url],
|
[patch.url],
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
@ -451,9 +460,7 @@ def _check_patch_urls(pkgs, error_cls):
|
|||||||
if not patch.url.endswith(".diff"):
|
if not patch.url.endswith(".diff"):
|
||||||
errors.append(
|
errors.append(
|
||||||
error_cls(
|
error_cls(
|
||||||
"patch URL in package {0} must end with .diff".format(
|
f"patch URL in package {pkg_cls.name} must end with .diff",
|
||||||
pkg_cls.name
|
|
||||||
),
|
|
||||||
[patch.url],
|
[patch.url],
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
@ -19,6 +19,8 @@
|
|||||||
(["missing-dependency"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
|
(["missing-dependency"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
|
||||||
# The package use a non existing variant in a depends_on directive
|
# The package use a non existing variant in a depends_on directive
|
||||||
(["wrong-variant-in-depends-on"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
|
(["wrong-variant-in-depends-on"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
|
||||||
|
# This package has a GitHub pull request commit patch URL
|
||||||
|
(["invalid-github-pull-commits-patch-url"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
|
||||||
# This package has a GitHub patch URL without full_index=1
|
# This package has a GitHub patch URL without full_index=1
|
||||||
(["invalid-github-patch-url"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
|
(["invalid-github-patch-url"], ["PKG-DIRECTIVES", "PKG-PROPERTIES"]),
|
||||||
# This package has invalid GitLab patch URLs
|
# This package has invalid GitLab patch URLs
|
||||||
|
@ -0,0 +1,20 @@
|
|||||||
|
# Copyright 2013-2024 Lawrence Livermore National Security, LLC and other
|
||||||
|
# Spack Project Developers. See the top-level COPYRIGHT file for details.
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: (Apache-2.0 OR MIT)
|
||||||
|
|
||||||
|
from spack.package import *
|
||||||
|
|
||||||
|
|
||||||
|
class InvalidGithubPullCommitsPatchUrl(Package):
|
||||||
|
"""Package that has a GitHub pull request commit patch URL that fails auditing."""
|
||||||
|
|
||||||
|
homepage = "http://www.example.com"
|
||||||
|
url = "http://www.example.com/patch-1.0.tar.gz"
|
||||||
|
|
||||||
|
version("1.0", md5="0123456789abcdef0123456789abcdef")
|
||||||
|
|
||||||
|
patch(
|
||||||
|
"https://github.com/spack/spack/pull/1/commits/b4da28f71e2cef84c6e289afe89aa4bdf7936048.patch?full_index=1",
|
||||||
|
sha256="eae9035b832792549fac00680db5f180a88ff79feb7d7a535b4fd71f9d885e73",
|
||||||
|
)
|
Loading…
Reference in New Issue
Block a user