Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify GitLab pages URLs #16753

Open
wangenau opened this issue Sep 19, 2024 · 1 comment · May be fixed by #16918
Open

Verify GitLab pages URLs #16753

wangenau opened this issue Sep 19, 2024 · 1 comment · May be fixed by #16918
Labels
feature request

Comments

@wangenau
Copy link

What's the problem this feature will solve?
After playing around with the new verified sections through trusted publishing, I noticed that GitLab pages will not be marked as verified.
According to the documentation, this is the case for GitHub, but not GitLab: https://docs.pypi.org/project_metadata/#verified-details
Since documentations are often uploaded to GitLab pages, this will create an unpleasant split between verified details (i.e., the repository URL) and unverified URLs (i.e., the documentation URL).

Describe the solution you'd like
Similar to GitHub, the GitLab pages should get verified as well. Similar to the documentation, these would need to be added:

  • https://pypa.gitlab.io/pip
  • https://pypa.gitlab.io/pip/* (all subpaths)
@wangenau wangenau added feature request requires triaging maintainers need to do initial inspection of issue labels Sep 19, 2024
@di di removed the requires triaging maintainers need to do initial inspection of issue label Sep 19, 2024
@di
Copy link
Member

di commented Sep 19, 2024

I think we can do something similar to what we do for GitHub here:

warehouse/warehouse/oidc/models/github.py

Lines 342 to 379 in c979275

def verify_url(self, url: str):
"""
Verify a given URL against this GitHub's publisher information
In addition to the generic Trusted Publisher verification logic in
the parent class, the GitHub Trusted Publisher allows URLs hosted
on `github.io` for the configured repository, i.e:
`https://${OWNER}.github.io/${REPO_NAME}/`.
As with the generic verification, we allow subpaths of the `.io` URL,
but we normalize using `rfc3986` to reject things like
`https://${OWNER}.github.io/${REPO_NAME}/../malicious`, which would
resolve to a URL outside the `/$REPO_NAME` path.
The suffix `.git` in repo URLs is ignored, since `github.com/org/repo.git`
always redirects to `github.com/org/repo`. This does not apply to subpaths,
like `github.com/org/repo.git/issues`, which do not redirect to the correct URL.
"""
url_for_generic_check = url.removesuffix("/").removesuffix(".git")
if super().verify_url(url_for_generic_check):
return True
docs_url = f"https://{self.repository_owner}.github.io/{self.repository_name}"
docs_uri = rfc3986.api.uri_reference(docs_url).normalize()
user_uri = rfc3986.api.uri_reference(url).normalize()
if not user_uri.path:
return False
is_subpath = docs_uri.path == user_uri.path or user_uri.path.startswith(
docs_uri.path + "/"
)
return (
docs_uri.scheme == user_uri.scheme
and docs_uri.authority == user_uri.authority
and is_subpath
)

@DarkaMaul DarkaMaul linked a pull request Oct 18, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Verify GitLab URLs trail-of-forks/warehouse
2 participants
@di @wangenau