Ambiguous version parsing in `parse_sdist_filename`

[woodruffw]

Hi there! First of all, thanks for continuing to maintain this package -- it's extremely useful 🙂

I'm one of the maintainers of pip-audit, and we had a user report some strange dependency resolution behavior: pypa/pip-audit#248

We were able to root-cause the bug down to a release of cffi (1.0.2-2) that uses the implicit post releases syntax for specifying the post-release number, rather than the canonicalized postN format. This release of cffi is published on PyPI here, without canonicalization, so it's likely that it was uploaded before PyPI began normalizing versions.

Because 1.0.2-2 contains a dash, the following body of packaging.utils.parse_sdist_filename contains an incorrect assumption and parses the source distribution name incorrectly:

def parse_sdist_filename(filename: str) -> Tuple[NormalizedName, Version]:
    if filename.endswith(".tar.gz"):
        file_stem = filename[: -len(".tar.gz")]
    elif filename.endswith(".zip"):
        file_stem = filename[: -len(".zip")]
    else:
        raise InvalidSdistFilename(
            f"Invalid sdist filename (extension must be '.tar.gz' or '.zip'):"
            f" {filename}"
        )

    # We are requiring a PEP 440 version, which cannot contain dashes,
    # so we split on the last dash.
    name_part, sep, version_part = file_stem.rpartition("-")
    if not sep:
        raise InvalidSdistFilename(f"Invalid sdist filename: {filename}")

    name = canonicalize_name(name_part)
    version = Version(version_part)
    return (name, version)

yielding:

>>> from packaging.utils import parse_sdist_filename
>>> parse_sdist_filename("cffi-1.0.2-2.tar.gz")
('cffi-1-0-2', <Version('2')>)

whereas we expected:

>>> from packaging.utils import parse_sdist_filename
>>> parse_sdist_filename("cffi-1.0.2-2.tar.gz")
('cffi', <Version('1.0.2.post2')>)

TL;DR: parse_sdist_filename shouldn't rely on the last dash as a separator between the distribution name and the version, since PEP 440 allows dashes in non-normalized versions. Parsing this correctly poses a bit of a challenge, since distribution names can also contain dashes and numbers and might even contain them in pathological ways, such as:

# package foo3, version 1.0.0.post1
foo3-1.0.0-1.tar.gz

# package foo-3, version 1.0.0.post1
foo-3-1.0.0-1.tar.gz

# package 3_3, version 1.0.0.post1
# i'm not sure this one is valid, but i can't find a countervailing spec in any of the packaging PEPs
3-3-1.0.0-1.tar.gz

[woodruffw]

(Another possible solution here is to normalize all of the current distribution releases hosted on PyPI, and emphasize that parse_sdist_filename only supports normalized PEP 440 versions. But I'm not sure about the blast radius/impact of doing so -- it would mean changing a lot of the index filenames, if not their content-addressed distribution filenames on the CDN.)

[woodruffw]

Here's the valid distribution regexp in PEP 508:

^([A-Z0-9]|[A-Z0-9][A-Z0-9._-]*[A-Z0-9])$

So 3-3 and 3_3 are valid distribution names, making 3-3-1.0.0-1.tar.gz and 3_3-1.0.0-1.tar.gz valid pre-normalized sdist filenames.

[di]

I'm not sure I would consider this to be a bug in packaging - we are assuming the filename has a normalized PEP 440 version, which technically cffi-1.0.2-2.tar.gz does, and have no way to determine that this is an implicit post release and not a project named cffi-1.0.2 with a version 2.

One thing we could do here is to allow the caller to optionally provide the distribution name they were expecting to be present, so this function could either use this as a hint during parsing, or just raise an exception when what it found isn't what was expected. I'm not sure how useful this would be broadly, though.

(Another possible solution here is to normalize all of the current distribution releases hosted on PyPI, and emphasize that parse_sdist_filename only supports normalized PEP 440 versions. But I'm not sure about the blast radius/impact of doing so -- it would mean changing a lot of the index filenames, if not their content-addressed distribution filenames on the CDN.)

Fairly unlikely we would do this, IMO.

[woodruffw]

One thing we could do here is to allow the caller to optionally provide the distribution name they were expecting to be present, so this function could either use this as a hint during parsing, or just raise an exception when what it found isn't what was expected. I'm not sure how useful this would be broadly, though.

This seems like a reasonable workaround to me, but +1 on the general usefulness concern (it's definitely useful for our needs on pip-audit, but I'm not sure about anyone else's needs).

[brettcannon]

I have opened pypa/packaging.python.org#1066 to strengthen the spec around sdist file names. That implicitly updates our docs since we reference it for what the function can parse.

[uranusjr]

For some additional information. pip is able to install the package because the Simple API also provides the project name in the URL (for cffi, the endpoint is https://pypi.org/simple/cffi/), so pip is able to “know” that the project name is cffi instead of cffi-1-0-2 and use that information to assist parsing. Perhaps parse_sdist_filename could do the same by accepting an optional second argument? (And if packaging does not, pip-audit can still add additional logic around the function to handle edge cases for compatibility.)

We should probably loop some of the cffi maintainers to inform them about this.

[woodruffw]

pip-audit can still add additional logic around the function to handle edge cases for compatibility.)

Yep, that's what we ended up doing: pypa/pip-audit#249

That suggestion otherwise sounds similar to what @di suggested in #527 (comment), which sounds good to me! I'm happy to make those changes in a PR if other consumers would find them useful 🙂