Fail to upload package when description rendering is invalid.

mblayman · mblayman · commit ee493a661fd2 · 2018-05-14T17:55:37.000-04:00
This branch prevents a package upload if the rendered content for the description_content_type is invalid. If no description_content_type is set, 'text/x-rst' is assumed as the type. Fixes pypi#3966
diff --git a/tests/unit/forklift/test_legacy.py b/tests/unit/forklift/test_legacy.py
@@ -1003,6 +1003,62 @@ def test_fails_with_invalid_names(self, pyramid_config, db_request, name):
                                "See /the/help/url/ "
                                "for more information.").format(name)
 
+    @pytest.mark.parametrize(
+        ("description_content_type", "description", "message"), [
+            (
+                "text/x-rst",
+                ".. invalid-directive::",
+                "400 The description failed to render for 'text/x-rst'. "
+                "See /the/help/url/ for more information."
+            ),
+            (
+                "",
+                ".. invalid-directive::",
+                "400 The description failed to render for 'text/x-rst'. "
+                "See /the/help/url/ for more information."
+            ),
+        ],
+    )
+    def test_fails_invalid_render(self, pyramid_config, db_request,
+                                  description_content_type, description,
+                                  message):
+        pyramid_config.testing_securitypolicy(userid=1)
+        user = UserFactory.create()
+        EmailFactory.create(user=user)
+        db_request.user = user
+        db_request.remote_addr = "10.10.10.30"
+
+        db_request.POST = MultiDict({
+            "metadata_version": "1.2",
+            "name": "example",
+            "version": "1.0",
+            "filetype": "sdist",
+            "md5_digest": "a fake md5 digest",
+            "content": pretend.stub(
+                filename="example-1.0.tar.gz",
+                file=io.BytesIO(b"A fake file."),
+                type="application/tar",
+            ),
+            "description_content_type": description_content_type,
+            "description": description,
+        })
+
+        db_request.help_url = pretend.call_recorder(
+            lambda **kw: "/the/help/url/"
+        )
+
+        with pytest.raises(HTTPBadRequest) as excinfo:
+            legacy.file_upload(db_request)
+
+        resp = excinfo.value
+
+        assert db_request.help_url.calls == [
+            pretend.call(_anchor='project-name')
+        ]
+
+        assert resp.status_code == 400
+        assert resp.status == message
+
     @pytest.mark.parametrize("name", ["xml", "XML", "pickle", "PiCKle",
                                       "main", "future", "al", "uU", "test",
                                       "encodings.utf_8_sig",
@@ -1215,6 +1271,7 @@ def test_successful_upload(self, tmpdir, monkeypatch, pyramid_config,
             "filetype": "sdist",
             "pyversion": "source",
             "content": content,
+            "description": "an example description",
         })
         db_request.POST.extend([
             ("classifiers", "Environment :: Other Environment"),
diff --git a/warehouse/forklift/legacy.py b/warehouse/forklift/legacy.py
@@ -45,7 +45,7 @@
     Project, Release, Dependency, DependencyKind, Role, File, Filename,
     JournalEntry, BlacklistedProject,
 )
-from warehouse.utils import http
+from warehouse.utils import http, readme
 
 
 MAX_FILESIZE = 60 * 1024 * 1024  # 60M
@@ -940,6 +940,26 @@ def file_upload(request):
             )
         )
 
+    # Uploading should prevent broken rendered descriptions.
+    if form.description.data:
+        description_content_type = form.description_content_type.data
+        if not description_content_type:
+            description_content_type = 'text/x-rst'
+        rendered = readme.render(
+            form.description.data, description_content_type,
+            use_fallback=False)
+        if rendered is None:
+            raise _exc_with_message(
+                HTTPBadRequest,
+                ("The description failed to render "
+                 "for '{description_content_type}'. "
+                 "See {projecthelp} "
+                 "for more information.").format(
+                    description_content_type=description_content_type,
+                    projecthelp=request.help_url(_anchor='project-name'),
+                ),
+            ) from None
+
     try:
         canonical_version = packaging.utils.canonicalize_version(
             form.version.data
diff --git a/warehouse/utils/readme.py b/warehouse/utils/readme.py
@@ -29,7 +29,7 @@
 }
 
 
-def render(value, content_type=None):
+def render(value, content_type=None, use_fallback=True):
     if value is None:
         return value
 
@@ -45,7 +45,8 @@ def render(value, content_type=None):
     # If the content was not rendered, we'll render as plaintext instead. The
     # reason it's necessary to do this instead of just accepting plaintext is
     # that readme_renderer will deal with sanitizing the content.
-    if rendered is None:
+    # Skip the fallback option when validating that rendered output is ok.
+    if use_fallback and rendered is None:
         rendered = readme_renderer.txt.render(value)
 
     return rendered
