Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hackage accepts .cabal files with 2 source-repository head entries #1259

Open
andreasabel opened this issue Oct 11, 2023 · 2 comments
Open

Comments

@andreasabel
Copy link
Member

andreasabel commented Oct 11, 2023

E.g. this one: https://hackage.haskell.org/package/pipes-zlib-0.4.4.2/pipes-zlib.cabal

source-repository head
    type: git
    location: https://github.com/k0001/pipes-zlib.git

...lots of stuff...

source-repository head
  type:     git
  location: https://github.com/githubuser/twio

When you do cabal get -s pipes-zlib you see no error either, it somehow decides on one of these sources.
(Likely on the first one, because the second does not exist.)

I can see how this could maybe be exploited, tricking developers to download and run malicious code, by sneaking in an evil source-repository stanza that is overlooked. (E.g. by a malicious hackage trustee or co-uploader.)

hackage-server should not rely on cabal check or sdist catching this but refute such packages.

One wonders how such bugs arise in the first place, likely by violation of the parse don't validate principle.

@gbaz
Copy link
Contributor

gbaz commented Oct 17, 2023

I don't think hackage-server should do any checking on top of cabal check -- it would be an entirely new mechanism to add. I also don't think you can add source-repository stanzas by revision?

@andreasabel
Copy link
Member Author

andreasabel commented Oct 18, 2023

I don't think hackage-server should do any checking on top of cabal check -- it would be an entirely new mechanism to add.

As I understand, hackage-server uses the cabal check (possibly with some configuration), so I think we should make sure the latter is correct in the version of Cabal we are linking to here.

I also don't think you can add source-repository stanzas by revision?

It looks like you can:

$ hackage-cli push-cabal pipes-zlib.cabal --incr-rev

Pushing "pipes-zlib.cabal" (pipes-zlib-0.4.4.2~1) [review-mode] ...
Hackage response was (after 0.742 secs):
Changes:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants