Poetry 1.1.8 does not include the security fix for mismatching package hashes

[pietrodn]

Hello, it appears to me that the latest Poetry release (1.1.8) does not contain this important security fix that makes Poetry actually check the hashes of downloaded files against the hashes in poetry.lock.

I tried to alter the hashes in my poetry.lock and reinstall one package on Poetry 1.1.8, and it did not complain.
Also, it's evident that this commit is not present in the chooser.py file in the release-1.1.8 branch, but it is present in the master version of the file.

It looks like some weird Git merging issue.
Can we make sure this security fix gets included ASAP in the next release? Thank you 🙏🏼

[mkniewallner]

The pull request containing the fix was made against master branch, which represents the development of version 1.2. Thus it's expected that version 1.1.8 doesn't contain the fix.

If the fix were to also be included in 1.1.x versions, it would need to be backported by doing a pull request against 1.1 branch (for instance #4331).

[pietrodn]

I did as you suggested, creating this PR to backport the fix.

Unfortunately this PR isn't sufficient to correct the bug, as this other PR needs to be backported to poetry-core 1.0.

I tried to do so, but with the given change poetry install crashes and I can't seem to find the cause.

[pietrodn]

More precisely, if I backport the poetry-core PR, Poetry fails with the following (see python-poetry/poetry-core#193):

$ ~/git/poetry/.venv/bin/poetry install
Creating virtualenv tmp in /Users/pietro/tmp/.venv
Installing dependencies from lock file

Package operations: 1 install, 0 updates, 0 removals

  • Installing attrs (21.2.0): Failed

  AttributeError

  'Link' object has no attribute 'is_absolute'

  at ~/git/poetry/.venv/lib/python3.9/site-packages/poetry/core/packages/file_dependency.py:34 in __init__
       30│         self._base = base or Path.cwd()
       31│         self._full_path = path
       32│
       33│         #raise ValueError(type(path))
    →  34│         if not self._path.is_absolute():
       35│             try:
       36│                 self._full_path = self._base.joinpath(self._path).resolve()
       37│             except FileNotFoundError:
       38│                 raise ValueError("Directory {} does not exist".format(self._path))

I think that there is an underlying bug where an object that should be a Path is actually a Link, and that is exposed by the fact that the Package.files attribute gets cloned, and not lost as of now in Poetry 1.1.8.

[pietrodn]

It is fixed in 1.1.9, I just checked that poetry install correctly detects a corrupt hash. Thanks!

[dougn]

Granted, now I get this error:
• Installing auth-client (1.6.0): Failed

AttributeError

'Link' object has no attribute 'name'

at ~/.pyenv/versions/3.7.9/lib/python3.7/site-packages/poetry/installation/executor.py:620 in _download_link
616│ ).hash()
617│ )
618│ if archive_hash not in {f["hash"] for f in package.files}:
619│ raise RuntimeError(
→ 620│ "Invalid hash for {} using archive {}".format(package, archive.name)
• Installing auth-client (1.6.0): Failed

AttributeError

'Link' object has no attribute 'name'

WHY exactly auth-client, and another internal to my company package are failing the hash check is a different and scary question. This is on a fresh clean install with no lock file.

The hash being calculated here is sha256, but the one in the lock file is md5?

                "sha256:"
                + FileDependency(
                    package.name,
                    Path(archive.path) if isinstance(archive, Link) else archive,
                ).hash()

               auth-client = [
    {file = "auth-client-1.6.0.tar.gz", hash = "md5:8d31d21501d5c9636dabc81a170c8ce2"},
    {file = "auth_client-1.6.0-py3-none-any.whl", hash = "md5:5f48300ec0964ef5d72436647c6b4a8f"},
]

[j-a-n]

The hash being calculated here is sha256, but the one in the lock file is md5?

I had the same problem with our internal pypiserver.
After adding --hash-algo=sha256 to the pypiserver cmdline and clearing poetry cache it works again.

[dougn]

Not an option for our artifactory server :-(

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.