Merge branch '241492-check-pypi-metadata-size' into 'master'

Validate pypi required_python size

Closes #241492

See merge request gitlab-org/gitlab!40803

app/models/packages/pypi/metadatum.rb

@@ -6,6 +6,7 @@ class Packages::Pypi::Metadatum < ApplicationRecord
   belongs_to :package, -> { where(package_type: :pypi) }, inverse_of: :pypi_metadatum
 
   validates :package, presence: true
+  validates :required_python, length: { maximum: 50 }, allow_blank: true
 
   validate :pypi_package_type
 

app/services/packages/pypi/create_package_service.rb

@@ -7,11 +7,17 @@ module Packages
 
       def execute
         ::Packages::Package.transaction do
-          Packages::Pypi::Metadatum.upsert(
-            package_id: created_package.id,
+          meta = Packages::Pypi::Metadatum.new(
+            package: created_package,
             required_python: params[:requires_python]
           )
 
+          unless meta.valid?
+            raise ActiveRecord::RecordInvalid.new(meta)
+          end
+
+          Packages::Pypi::Metadatum.upsert(meta.attributes)
+
           ::Packages::CreatePackageFileService.new(created_package, file_params).execute
         end
       end

changelogs/unreleased/241492-check-pypi-metadata-size.yml

+---
+title: Validates pypi required_python size to avoid 500 error
+merge_request: 40803
+author:
+type: fixed

spec/requests/api/pypi_packages_spec.rb

@@ -117,7 +117,8 @@ RSpec.describe API::PypiPackages do
     let_it_be(:file_name) { 'package.whl' }
     let(:url) { "/projects/#{project.id}/packages/pypi" }
     let(:headers) { {} }
-    let(:base_params) { { requires_python: '>=3.7', version: '1.0.0', name: 'sample-project', sha256_digest: '123' } }
+    let(:requires_python) { '>=3.7' }
+    let(:base_params) { { requires_python: requires_python, version: '1.0.0', name: 'sample-project', sha256_digest: '123' } }
     let(:params) { base_params.merge(content: temp_file(file_name)) }
     let(:send_rewritten_field) { true }
 
@@ -169,6 +170,19 @@ RSpec.describe API::PypiPackages do
       end
     end
 
+    context 'with required_python too big' do
+      let(:requires_python) { 'x' * 51 }
+      let(:token) { personal_access_token.token }
+      let(:user_headers) { basic_auth_header(user.username, token) }
+      let(:headers) { user_headers.merge(workhorse_header) }
+
+      before do
+        project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+      end
+
+      it_behaves_like 'process PyPi api request', :developer, :bad_request, true
+    end
+
     context 'with an invalid package' do
       let(:token) { personal_access_token.token }
       let(:user_headers) { basic_auth_header(user.username, token) }

spec/services/packages/pypi/create_package_service_spec.rb

@@ -6,12 +6,14 @@ RSpec.describe Packages::Pypi::CreatePackageService do
 
   let_it_be(:project) { create(:project) }
   let_it_be(:user) { create(:user) }
-  let_it_be(:params) do
+
+  let(:requires_python) { '>=2.7' }
+  let(:params) do
     {
       name: 'foo',
       version: '1.0',
       content: temp_file('foo.tgz'),
-      requires_python: '>=2.7',
+      requires_python: requires_python,
       sha256_digest: '123',
       md5_digest: '567'
     }
@@ -37,6 +39,14 @@ RSpec.describe Packages::Pypi::CreatePackageService do
       end
     end
 
+    context 'with an invalid metadata' do
+      let(:requires_python) { 'x' * 51 }
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(ActiveRecord::RecordInvalid)
+      end
+    end
+
     context 'with an existing package' do
       before do
         described_class.new(project, user, params).execute