Пример #1
0
    def _validate_secure_origin(self, logger, location):
        # Determine if this url used a secure transport mechanism
        parsed = urllib_parse.urlparse(str(location))
        origin = (parsed.scheme, parsed.hostname, parsed.port)

        # The protocol to use to see if the protocol matches.
        # Don't count the repository type as part of the protocol: in
        # cases such as "git+ssh", only use "ssh". (I.e., Only verify against
        # the last scheme.)
        protocol = origin[0].rsplit('+', 1)[-1]

        # Determine if our origin is a secure origin by looking through our
        # hardcoded list of secure origins, as well as any additional ones
        # configured on this PackageFinder instance.
        for secure_origin in (SECURE_ORIGINS + self.secure_origins):
            if protocol != secure_origin[0] and secure_origin[0] != "*":
                continue

            try:
                # We need to do this decode dance to ensure that we have a
                # unicode object, even on Python 2.x.
                addr = ipaddress.ip_address(origin[1] if (
                    isinstance(origin[1], six.text_type) or origin[1] is None
                ) else origin[1].decode("utf8"))
                network = ipaddress.ip_network(secure_origin[1] if isinstance(
                    secure_origin[1], six.text_type) else secure_origin[1].
                                               decode("utf8"))
            except ValueError:
                # We don't have both a valid address or a valid network, so
                # we'll check this origin against hostnames.
                if origin[1] != secure_origin[1] and secure_origin[1] != "*":
                    continue
            else:
                # We have a valid address and network, so see if the address
                # is contained within the network.
                if addr not in network:
                    continue

            # Check to see if the port patches
            if (origin[2] != secure_origin[2] and secure_origin[2] != "*"
                    and secure_origin[2] is not None):
                continue

            # If we've gotten here, then this origin matches the current
            # secure origin and we should return True
            return True

        # If we've gotten to this point, then the origin isn't secure and we
        # will not accept it as a valid location to search. We will however
        # log a warning that we are ignoring it.
        logger.warning(
            "The repository located at %s is not a trusted or secure host and "
            "is being ignored. If this repository is available via HTTPS it "
            "is recommended to use HTTPS instead, otherwise you may silence "
            "this warning and allow it anyways with '--trusted-host %s'.",
            parsed.hostname,
            parsed.hostname,
        )

        return False
Пример #2
0
    def _validate_secure_origin(self, logger, location):
        # Determine if this url used a secure transport mechanism
        parsed = urllib_parse.urlparse(str(location))
        origin = (parsed.scheme, parsed.hostname, parsed.port)

        # Determine if our origin is a secure origin by looking through our
        # hardcoded list of secure origins, as well as any additional ones
        # configured on this PackageFinder instance.
        for secure_origin in (SECURE_ORIGINS + self.secure_origins):
            # Check to see if the protocol matches
            if origin[0] != secure_origin[0] and secure_origin[0] != "*":
                continue

            try:
                # We need to do this decode dance to ensure that we have a
                # unicode object, even on Python 2.x.
                addr = ipaddress.ip_address(origin[1] if (
                    isinstance(origin[1], six.text_type) or origin[1] is None
                ) else origin[1].decode("utf8"))
                network = ipaddress.ip_network(secure_origin[1] if isinstance(
                    secure_origin[1], six.text_type) else secure_origin[1].
                                               decode("utf8"))
            except ValueError:
                # We don't have both a valid address or a valid network, so
                # we'll check this origin against hostnames.
                if origin[1] != secure_origin[1] and secure_origin[1] != "*":
                    continue
            else:
                # We have a valid address and network, so see if the address
                # is contained within the network.
                if addr not in network:
                    continue

            # Check to see if the port patches
            if (origin[2] != secure_origin[2] and secure_origin[2] != "*"
                    and secure_origin[2] is not None):
                continue

            # If we've gotten here, then this origin matches the current
            # secure origin and we should break out of the loop and continue
            # on.
            break
        else:
            # If the loop successfully completed without a break, that means
            # that the origin we are testing is not a secure origin.
            logger.warning(
                "This repository located at %s is not a trusted host, if "
                "this repository is available via HTTPS it is recommend to "
                "use HTTPS instead, otherwise you may silence this warning "
                "with '--trusted-host %s'.",
                parsed.hostname,
                parsed.hostname,
            )

            warnings.warn(
                "Implicitly allowing locations which are not hosted at a "
                "secure origin is deprecated and will require the use of "
                "--trusted-host in the future.",
                RemovedInPip7Warning,
            )
Пример #3
0
    def _validate_secure_origin(self, logger, location):
        # Determine if this url used a secure transport mechanism
        parsed = urllib_parse.urlparse(str(location))
        origin = (parsed.scheme, parsed.hostname, parsed.port)

        # Determine if our origin is a secure origin by looking through our
        # hardcoded list of secure origins, as well as any additional ones
        # configured on this PackageFinder instance.
        for secure_origin in SECURE_ORIGINS + self.secure_origins:
            # Check to see if the protocol matches
            if origin[0] != secure_origin[0] and secure_origin[0] != "*":
                continue

            try:
                # We need to do this decode dance to ensure that we have a
                # unicode object, even on Python 2.x.
                addr = ipaddress.ip_address(
                    origin[1]
                    if (isinstance(origin[1], six.text_type) or origin[1] is None)
                    else origin[1].decode("utf8")
                )
                network = ipaddress.ip_network(
                    secure_origin[1] if isinstance(secure_origin[1], six.text_type) else secure_origin[1].decode("utf8")
                )
            except ValueError:
                # We don't have both a valid address or a valid network, so
                # we'll check this origin against hostnames.
                if origin[1] != secure_origin[1] and secure_origin[1] != "*":
                    continue
            else:
                # We have a valid address and network, so see if the address
                # is contained within the network.
                if addr not in network:
                    continue

            # Check to see if the port patches
            if origin[2] != secure_origin[2] and secure_origin[2] != "*" and secure_origin[2] is not None:
                continue

            # If we've gotten here, then this origin matches the current
            # secure origin and we should return True
            return True

        # If we've gotten to this point, then the origin isn't secure and we
        # will not accept it as a valid location to search. We will however
        # log a warning that we are ignoring it.
        logger.warning(
            "The repository located at %s is not a trusted or secure host and "
            "is being ignored. If this repository is available via HTTPS it "
            "is recommended to use HTTPS instead, otherwise you may silence "
            "this warning and allow it anyways with '--trusted-host %s'.",
            parsed.hostname,
            parsed.hostname,
        )

        return False
Пример #4
0
    def _validate_secure_origin(self, logger, location):
        # Determine if this url used a secure transport mechanism
        parsed = urllib_parse.urlparse(str(location))
        origin = (parsed.scheme, parsed.hostname, parsed.port)

        # Determine if our origin is a secure origin by looking through our
        # hardcoded list of secure origins, as well as any additional ones
        # configured on this PackageFinder instance.
        for secure_origin in (SECURE_ORIGINS + self.secure_origins):
            # Check to see if the protocol matches
            if origin[0] != secure_origin[0] and secure_origin[0] != "*":
                continue

            try:
                # We need to do this decode dance to ensure that we have a
                # unicode object, even on Python 2.x.
                addr = ipaddress.ip_address(
                    origin[1]
                    if (
                        isinstance(origin[1], six.text_type)
                        or origin[1] is None
                    )
                    else origin[1].decode("utf8")
                )
                network = ipaddress.ip_network(
                    secure_origin[1]
                    if isinstance(secure_origin[1], six.text_type)
                    else secure_origin[1].decode("utf8")
                )
            except ValueError:
                # We don't have both a valid address or a valid network, so
                # we'll check this origin against hostnames.
                if origin[1] != secure_origin[1] and secure_origin[1] != "*":
                    continue
            else:
                # We have a valid address and network, so see if the address
                # is contained within the network.
                if addr not in network:
                    continue

            # Check to see if the port patches
            if (origin[2] != secure_origin[2]
                    and secure_origin[2] != "*"
                    and secure_origin[2] is not None):
                continue

            # If we've gotten here, then this origin matches the current
            # secure origin and we should break out of the loop and continue
            # on.
            break
        else:
            # If the loop successfully completed without a break, that means
            # that the origin we are testing is not a secure origin.
            logger.warning(
                "This repository located at %s is not a trusted host, if "
                "this repository is available via HTTPS it is recommend to "
                "use HTTPS instead, otherwise you may silence this warning "
                "with '--trusted-host %s'.",
                parsed.hostname,
                parsed.hostname,
            )

            warnings.warn(
                "Implicitly allowing locations which are not hosted at a "
                "secure origin is deprecated and will require the use of "
                "--trusted-host in the future.",
                RemovedInPip7Warning,
            )