Closed Bug 1731147 Opened 3 years ago Closed 3 years ago

thunderbird-packages.txt files can circumvent restrictions meant to block installing from Pypi

Categories

(Firefox Build System :: Mach Core, defect)

Product:
Firefox Build System
Component:
Mach Core
Type:
defect

Tracking

(firefox94 fixed)

Status:
RESOLVED FIXED
Milestone:
94 Branch
Tracking Flags:
Tracking Status
firefox94 --- fixed

People

(Reporter: rjl, Assigned: mhentges)

References

(Depends on 1 open bug)

Details

Attachments

(1 file)

Bug 1731147: Keep `is_thunderbird_txt` state in transitive packages.txt
48 bytes, text/x-phabricator-request
Details | Review

The restrictions to prevent thunderbird-packages.txt files from installing from PyPi has a flaw. In a requirements file included with thunderbird-packages.txt includes another requirements file with packages.txt, the second file can install packages from PyPi into the resulting virtualenv.

STR:

  • Modify comm/build/virtualenv_packages.txt. Add a packages.txt: line:
    packages.txt:comm/build/pypi_packages.txt
  • Create comm/build/pypi_packages.txt with a pypi: line:
    pypi:func_nested_list==1.4.0
  • Create func_nested_list_requirements.in with the content:
    pypi:func_nested_list==1.4.0
  • Run pip-compile --generate-hashes --output-file=func_nested_list_requirements.txt func_nested_list_requirements.in
  • Run mach python

Expected:
Error message preventing PyPi package installation.

Actual:
The common virtualenv is regenerated and func-nested-list is installed from PyPi.

The problem is in python/mozbuild/mozbuild/requirements.py.
https://searchfox.org/mozilla-central/rev/d8d7539593d5a3071841289dee72f971650073ce/python/mozbuild/mozbuild/requirements.py#86-89

The packages.txt action needs to pass along the value of is_thunderbird_packages_txt to _parse_requirements_definition_file to prevent this from happening.

Assignee: nobody → mhentges
Status: NEW → ASSIGNED

Nice catch ;)

is_thunderbird_packages_txt was being reset to True when entering a
packages.txt file within thunderbird-packages.txt.

This patch also cleans up a duplicated assertion.

Pushed by mhentges@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c9a191f99fa3
Keep `is_thunderbird_txt` state in transitive packages.txt r=ahal

https://hg.mozilla.org/mozilla-central/rev/c9a191f99fa3

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox94: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: