legacy: lingering PEP 527 changes (#13881)

woodruffw · web-flow · commit 0e3ac7da876d · 2023-06-07T00:03:58.000-04:00
Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;
diff --git a/tests/unit/forklift/test_legacy.py b/tests/unit/forklift/test_legacy.py
@@ -487,17 +487,9 @@ class TestFileValidation:
     def test_defaults_to_true(self):
         assert legacy._is_valid_dist_file("", "")
 
-    @pytest.mark.parametrize(
-        ("filename", "filetype"),
-        [("test.exe", "bdist_msi"), ("test.msi", "bdist_wininst")],
-    )
-    def test_bails_with_invalid_package_type(self, filename, filetype):
-        assert not legacy._is_valid_dist_file(filename, filetype)
-
     @pytest.mark.parametrize(
         ("filename", "filetype"),
         [
-            ("test.exe", "bdist_wininst"),
             ("test.zip", "sdist"),
             ("test.egg", "bdist_egg"),
             ("test.whl", "bdist_wheel"),
@@ -511,9 +503,7 @@ def test_bails_with_invalid_zipfile(self, tmpdir, filename, filetype):
 
         assert not legacy._is_valid_dist_file(f, filetype)
 
-    @pytest.mark.parametrize(
-        "filename", ["test.tar", "test.tar.gz", "test.tgz", "test.tar.bz2", "test.tbz2"]
-    )
+    @pytest.mark.parametrize("filename", ["test.tar.gz"])
     def test_bails_with_invalid_tarfile(self, tmpdir, filename):
         fake_tar = str(tmpdir.join(filename))
 
@@ -522,7 +512,7 @@ def test_bails_with_invalid_tarfile(self, tmpdir, filename):
 
         assert not legacy._is_valid_dist_file(fake_tar, "sdist")
 
-    @pytest.mark.parametrize("compression", ("", "gz", "bz2"))
+    @pytest.mark.parametrize("compression", ("gz",))
     def test_tarfile_validation_invalid(self, tmpdir, compression):
         file_extension = f".{compression}" if compression else ""
         tar_fn = str(tmpdir.join(f"test.tar{file_extension}"))
@@ -538,7 +528,7 @@ def test_tarfile_validation_invalid(self, tmpdir, compression):
             tar_fn, "sdist"
         ), "no PKG-INFO; should fail"
 
-    @pytest.mark.parametrize("compression", ("", "gz", "bz2"))
+    @pytest.mark.parametrize("compression", ("gz",))
     def test_tarfile_validation_valid(self, tmpdir, compression):
         file_extension = f".{compression}" if compression else ""
         tar_fn = str(tmpdir.join(f"test.tar{file_extension}"))
@@ -554,38 +544,6 @@ def test_tarfile_validation_valid(self, tmpdir, compression):
 
         assert legacy._is_valid_dist_file(tar_fn, "sdist")
 
-    def test_wininst_unsafe_filename(self, tmpdir):
-        f = str(tmpdir.join("test.exe"))
-
-        with zipfile.ZipFile(f, "w") as zfp:
-            zfp.writestr("something/bar.py", b"the test file")
-
-        assert not legacy._is_valid_dist_file(f, "bdist_wininst")
-
-    def test_wininst_safe_filename(self, tmpdir):
-        f = str(tmpdir.join("test.exe"))
-
-        with zipfile.ZipFile(f, "w") as zfp:
-            zfp.writestr("purelib/bar.py", b"the test file")
-
-        assert legacy._is_valid_dist_file(f, "bdist_wininst")
-
-    def test_msi_invalid_header(self, tmpdir):
-        f = str(tmpdir.join("test.msi"))
-
-        with open(f, "wb") as fp:
-            fp.write(b"this isn't the correct header for an msi")
-
-        assert not legacy._is_valid_dist_file(f, "bdist_msi")
-
-    def test_msi_valid_header(self, tmpdir):
-        f = str(tmpdir.join("test.msi"))
-
-        with open(f, "wb") as fp:
-            fp.write(b"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1")
-
-        assert legacy._is_valid_dist_file(f, "bdist_msi")
-
     def test_zip_no_pkg_info(self, tmpdir):
         f = str(tmpdir.join("test.zip"))
 
diff --git a/warehouse/forklift/legacy.py b/warehouse/forklift/legacy.py
@@ -660,11 +660,6 @@ def _validate_filename(filename):
         )
 
 
-_safe_zipnames = re.compile(r"(purelib|platlib|headers|scripts|data).+", re.I)
-# .tar uncompressed, .tar.gz .tgz, .tar.bz2 .tbz2
-_tar_filenames_re = re.compile(r"\.(?:tar$|t(?:ar\.)?(?P<z_type>gz|bz2)$)")
-
-
 def _is_valid_dist_file(filename, filetype):
     """
     Perform some basic checks to see whether the indicated file could be
@@ -698,15 +693,13 @@ def _is_valid_dist_file(filename, filetype):
                 }:
                     return False
 
-    tar_fn_match = _tar_filenames_re.search(filename)
-    if tar_fn_match:
+    if filename.endswith(".tar.gz"):
         # TODO: Ideally Ensure the compression ratio is not absurd
         # (decompression bomb), like we do for wheel/zip above.
 
         # Ensure that this is a valid tar file, and that it contains PKG-INFO.
-        z_type = tar_fn_match.group("z_type") or ""
         try:
-            with tarfile.open(filename, f"r:{z_type}") as tar:
+            with tarfile.open(filename, "r:gz") as tar:
                 # This decompresses the entire stream to validate it and the
                 # tar within.  Easy CPU DoS attack. :/
                 bad_tar = True
@@ -720,34 +713,6 @@ def _is_valid_dist_file(filename, filetype):
                     return False
         except (tarfile.ReadError, EOFError):
             return False
-    elif filename.endswith(".exe"):
-        # The only valid filetype for a .exe file is "bdist_wininst".
-        if filetype != "bdist_wininst":
-            return False
-
-        # Ensure that the .exe is a valid zip file, and that all of the files
-        # contained within it have safe filenames.
-        try:
-            with zipfile.ZipFile(filename, "r") as zfp:
-                # We need the no branch below to work around a bug in
-                # coverage.py where it's detecting a missed branch where there
-                # isn't one.
-                for zipname in zfp.namelist():  # pragma: no branch
-                    if not _safe_zipnames.match(zipname):
-                        return False
-        except zipfile.BadZipFile:
-            return False
-    elif filename.endswith(".msi"):
-        # The only valid filetype for a .msi is "bdist_msi"
-        if filetype != "bdist_msi":
-            return False
-
-        # Check the first 8 bytes of the MSI file. This was taken from the
-        # legacy implementation of PyPI which itself took it from the
-        # implementation of `file` I believe.
-        with open(filename, "rb") as fp:
-            if fp.read(8) != b"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1":
-                return False
     elif filename.endswith(".zip") or filename.endswith(".egg"):
         # Ensure that the .zip/.egg is a valid zip file, and that it has a
         # PKG-INFO file.
