Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Charms can import packages not installed in venv #1077

Closed
carlcsaposs-canonical opened this issue Apr 17, 2023 · 1 comment
Closed

Charms can import packages not installed in venv #1077

carlcsaposs-canonical opened this issue Apr 17, 2023 · 1 comment

Comments

@carlcsaposs-canonical
Copy link
Contributor

Version: 2.2.0

Steps to reproduce

  1. git clone https://github.com/carlcsaposs-canonical/charm-bug-report.git
  2. cd charm-bug-report/
  3. git checkout origin/venv-boto3
  4. charmcraft pack
  5. juju deploy ./*.charm on LXD
  6. juju debug-hooks charm-bug-report/0
  7. Wait for event to fire
  8. PYTHONVERBOSE=1 ./dispatch
  9. from urllib3.contrib.pyopenssl import orig_util_SSLContext

Expected behavior

Charms should not be able to import packages from outside venv

Actual behavior

Charms can import packages from /usr/lib/python3/dist-packages/

Snippet of output from last command:

import 'urllib3' # <_frozen_importlib_external.SourceFileLoader object at 0x7ff3c6b2db40>                                                                    
# /var/lib/juju/agents/unit-charm-bug-report-0/charm/venv/urllib3/contrib/__pycache__/pyopenssl.cpython-310.pyc matches /var/lib/juju/agents/unit-charm-bug-r
eport-0/charm/venv/urllib3/contrib/pyopenssl.py                                                                                                              
# code object from '/var/lib/juju/agents/unit-charm-bug-report-0/charm/venv/urllib3/contrib/__pycache__/pyopenssl.cpython-310.pyc'                           
# /usr/lib/python3/dist-packages/OpenSSL/__pycache__/__init__.cpython-310.pyc matches /usr/lib/python3/dist-packages/OpenSSL/__init__.py                     
# code object from '/usr/lib/python3/dist-packages/OpenSSL/__pycache__/__init__.cpython-310.pyc'                                                             
# /usr/lib/python3/dist-packages/OpenSSL/__pycache__/crypto.cpython-310.pyc matches /usr/lib/python3/dist-packages/OpenSSL/crypto.py

Impact

One of mysql-operator's dependencies (boto3) normally uses urllib3's SSLContext, but it will override that with pyOpenSSL's SSLContext if it's available to import: https://github.com/boto/botocore/blob/fc30d05149c248d5e601bea37be422e97c5ad7ee/botocore/httpsession.py#L40-L50

pyOpenSSL is deprecated for this cryptography usage and we do not want to use it in our charm
Merged
Draft
Merged
Closed
This was referenced Jul 13, 2023
Open
Closed
@lengau
Copy link
Collaborator

lengau commented Sep 20, 2024

An update on this:

This behaviour is not going to change in the charm plugin. However, the python and poetry plugins slated to hit in 3.3 include protections against this. The recommended fix for this will be to move to one of those.

@lengau lengau closed this as not planned Won't fix, can't repro, duplicate, stale Sep 20, 2024
This was referenced Jan 10, 2025
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
Draft
This was referenced Jan 10, 2025
Draft
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lengau @carlcsaposs-canonical