mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-08-03 02:22:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Make --allow-insecure-host a global option (#8476)

Browse source 
Not verifying the certificates of certain hosts should be supported for
all kinds of HTTPS connections, so we're making it a global option, just
like native tls. This fixes the remaining places using a client but were
not configuring allow insecure host.

Fixes #6983 (i think)
Closes #6983

---------

Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
This commit is contained in:
Zanie Blue 2024-11-07 14:18:13 -06:00
parent 633467576b
commit fb89b64acf
31 changed files with 711 additions and 522 deletions
Download patch file Download diff file Expand all files Collapse all files

137
crates/uv-cli/src/lib.rs
View file

@ -205,6 +205,26 @@ pub struct GlobalArgs {
#[arg(global = true, long, overrides_with("offline"), hide = true)]
pub no_offline: bool,
/// Allow insecure connections to a host.
///
/// Can be provided multiple times.
///
/// Expects to receive either a hostname (e.g., `localhost`), a host-port pair (e.g.,
/// `localhost:8080`), or a URL (e.g., `https://localhost`).
///
/// WARNING: Hosts included in this list will not be verified against the system's certificate
/// store. Only use `--allow-insecure-host` in a secure network with verified sources, as it
/// bypasses SSL verification and could expose you to MITM attacks.
#[arg(
global = true,
long,
alias = "trusted-host",
env = EnvVars::UV_INSECURE_HOST,
value_delimiter = ' ',
value_parser = parse_insecure_host,
)]
pub allow_insecure_host: Option<Vec<Maybe<TrustedHost>>>,
/// Whether to enable experimental, preview features.
///
/// Preview features may change without warning.
@ -1768,25 +1788,6 @@ pub struct PipUninstallArgs {
#[arg(long, value_enum, env = EnvVars::UV_KEYRING_PROVIDER)]
pub keyring_provider: Option<KeyringProviderType>,
/// Allow insecure connections to a host.
///
/// Can be provided multiple times.
///
/// Expects to receive either a hostname (e.g., `localhost`), a host-port pair (e.g.,
/// `localhost:8080`), or a URL (e.g., `https://localhost`).
///
/// WARNING: Hosts included in this list will not be verified against the system's certificate
/// store. Only use `--allow-insecure-host` in a secure network with verified sources, as it
/// bypasses SSL verification and could expose you to MITM attacks.
#[arg(
long,
alias = "trusted-host",
env = EnvVars::UV_INSECURE_HOST,
value_delimiter = ' ',
value_parser = parse_insecure_host,
)]
pub allow_insecure_host: Option<Vec<Maybe<TrustedHost>>>,
/// Use the system Python to uninstall packages.
///
/// By default, uv uninstalls from the virtual environment in the current working directory or
@ -2370,25 +2371,6 @@ pub struct VenvArgs {
#[arg(long, value_enum, env = EnvVars::UV_KEYRING_PROVIDER)]
pub keyring_provider: Option<KeyringProviderType>,
/// Allow insecure connections to a host.
///
/// Can be provided multiple times.
///
/// Expects to receive either a hostname (e.g., `localhost`), a host-port pair (e.g.,
/// `localhost:8080`), or a URL (e.g., `https://localhost`).
///
/// WARNING: Hosts included in this list will not be verified against the system's certificate
/// store. Only use `--allow-insecure-host` in a secure network with verified sources, as it
/// bypasses SSL verification and could expose you to MITM attacks.
#[arg(
long,
alias = "trusted-host",
env = EnvVars::UV_INSECURE_HOST,
value_delimiter = ' ',
value_parser = parse_insecure_host,
)]
pub allow_insecure_host: Option<Vec<Maybe<TrustedHost>>>,
/// Limit candidate packages to those that were uploaded prior to the given date.
///
/// Accepts both RFC 3339 timestamps (e.g., `2006-12-02T02:07:43Z`) and local dates in the same
@ -4284,26 +4266,6 @@ pub struct InstallerArgs {
)]
pub keyring_provider: Option<KeyringProviderType>,
/// Allow insecure connections to a host.
///
/// Can be provided multiple times.
///
/// Expects to receive either a hostname (e.g., `localhost`), a host-port pair (e.g.,
/// `localhost:8080`), or a URL (e.g., `https://localhost`).
///
/// WARNING: Hosts included in this list will not be verified against the system's certificate
/// store. Only use `--allow-insecure-host` in a secure network with verified sources, as it
/// bypasses SSL verification and could expose you to MITM attacks.
#[arg(
long,
alias = "trusted-host",
env = EnvVars::UV_INSECURE_HOST,
value_delimiter = ' ',
value_parser = parse_insecure_host,
help_heading = "Index options"
)]
pub allow_insecure_host: Option<Vec<Maybe<TrustedHost>>>,
/// Settings to pass to the PEP 517 build backend, specified as `KEY=VALUE` pairs.
#[arg(
long,
@ -4446,26 +4408,6 @@ pub struct ResolverArgs {
)]
pub keyring_provider: Option<KeyringProviderType>,
/// Allow insecure connections to a host.
///
/// Can be provided multiple times.
///
/// Expects to receive either a hostname (e.g., `localhost`), a host-port pair (e.g.,
/// `localhost:8080`), or a URL (e.g., `https://localhost`).
///
/// WARNING: Hosts included in this list will not be verified against the system's certificate
/// store. Only use `--allow-insecure-host` in a secure network with verified sources, as it
/// bypasses SSL verification and could expose you to MITM attacks.
#[arg(
long,
alias = "trusted-host",
env = EnvVars::UV_INSECURE_HOST,
value_delimiter = ' ',
value_parser = parse_insecure_host,
help_heading = "Index options"
)]
pub allow_insecure_host: Option<Vec<Maybe<TrustedHost>>>,
/// The strategy to use when selecting between the different compatible versions for a given
/// package requirement.
///
@ -4638,26 +4580,6 @@ pub struct ResolverInstallerArgs {
)]
pub keyring_provider: Option<KeyringProviderType>,
/// Allow insecure connections to a host.
///
/// Can be provided multiple times.
///
/// Expects to receive either a hostname (e.g., `localhost`), a host-port pair (e.g.,
/// `localhost:8080`), or a URL (e.g., `https://localhost`).
///
/// WARNING: Hosts included in this list will not be verified against the system's certificate
/// store. Only use `--allow-insecure-host` in a secure network with verified sources, as it
/// bypasses SSL verification and could expose you to MITM attacks.
#[arg(
long,
alias = "trusted-host",
env = EnvVars::UV_INSECURE_HOST,
value_delimiter = ' ',
value_parser = parse_insecure_host,
help_heading = "Index options"
)]
pub allow_insecure_host: Option<Vec<Maybe<TrustedHost>>>,
/// The strategy to use when selecting between the different compatible versions for a given
/// package requirement.
///
@ -4864,25 +4786,6 @@ pub struct PublishArgs {
#[arg(long, value_enum, env = EnvVars::UV_KEYRING_PROVIDER)]
pub keyring_provider: Option<KeyringProviderType>,
/// Allow insecure connections to a host.
///
/// Can be provided multiple times.
///
/// Expects to receive either a hostname (e.g., `localhost`), a host-port pair (e.g.,
/// `localhost:8080`), or a URL (e.g., `https://localhost`).
///
/// WARNING: Hosts included in this list will not be verified against the system's certificate
/// store. Only use `--allow-insecure-host` in a secure network with verified sources, as it
/// bypasses SSL verification and could expose you to MITM attacks.
#[arg(
long,
alias = "trusted-host",
env = EnvVars::UV_INSECURE_HOST,
value_delimiter = ' ',
value_parser = parse_insecure_host,
)]
pub allow_insecure_host: Option<Vec<Maybe<TrustedHost>>>,
/// Check an index URL for existing files to skip duplicate uploads.
///
/// This option allows retrying publishing that failed after only some, but not all files have

35
crates/uv-cli/src/options.rs
View file

@ -40,7 +40,6 @@ impl From<ResolverArgs> for PipOptions {
upgrade_package,
index_strategy,
keyring_provider,
allow_insecure_host,
resolution,
prerelease,
pre,
@ -58,12 +57,6 @@ impl From<ResolverArgs> for PipOptions {
upgrade_package: Some(upgrade_package),
index_strategy,
keyring_provider,
allow_insecure_host: allow_insecure_host.map(|allow_insecure_host| {
allow_insecure_host
.into_iter()
.filter_map(Maybe::into_option)
.collect()
}),
resolution,
prerelease: if pre {
Some(PrereleaseMode::Allow)
@ -91,7 +84,6 @@ impl From<InstallerArgs> for PipOptions {
reinstall_package,
index_strategy,
keyring_provider,
allow_insecure_host,
config_setting,
no_build_isolation,
build_isolation,
@ -107,12 +99,6 @@ impl From<InstallerArgs> for PipOptions {
reinstall_package: Some(reinstall_package),
index_strategy,
keyring_provider,
allow_insecure_host: allow_insecure_host.map(|allow_insecure_host| {
allow_insecure_host
.into_iter()
.filter_map(Maybe::into_option)
.collect()
}),
config_settings: config_setting
.map(|config_settings| config_settings.into_iter().collect::<ConfigSettings>()),
no_build_isolation: flag(no_build_isolation, build_isolation),
@ -137,7 +123,6 @@ impl From<ResolverInstallerArgs> for PipOptions {
reinstall_package,
index_strategy,
keyring_provider,
allow_insecure_host,
resolution,
prerelease,
pre,
@ -159,12 +144,6 @@ impl From<ResolverInstallerArgs> for PipOptions {
reinstall_package: Some(reinstall_package),
index_strategy,
keyring_provider,
allow_insecure_host: allow_insecure_host.map(|allow_insecure_host| {
allow_insecure_host
.into_iter()
.filter_map(Maybe::into_option)
.collect()
}),
resolution,
prerelease: if pre {
Some(PrereleaseMode::Allow)
@ -235,7 +214,6 @@ pub fn resolver_options(
upgrade_package,
index_strategy,
keyring_provider,
allow_insecure_host,
resolution,
prerelease,
pre,
@ -289,12 +267,6 @@ pub fn resolver_options(
upgrade_package: Some(upgrade_package),
index_strategy,
keyring_provider,
allow_insecure_host: allow_insecure_host.map(|allow_insecure_host| {
allow_insecure_host
.into_iter()
.filter_map(Maybe::into_option)
.collect()
}),
resolution,
prerelease: if pre {
Some(PrereleaseMode::Allow)
@ -331,7 +303,6 @@ pub fn resolver_installer_options(
reinstall_package,
index_strategy,
keyring_provider,
allow_insecure_host,
resolution,
prerelease,
pre,
@ -397,12 +368,6 @@ pub fn resolver_installer_options(
},
index_strategy,
keyring_provider,
allow_insecure_host: allow_insecure_host.map(|allow_insecure_host| {
allow_insecure_host
.into_iter()
.filter_map(Maybe::into_option)
.collect()
}),
resolution,
prerelease: if pre {
Some(PrereleaseMode::Allow)