Hackage accepts `.cabal` files with 2 `source-repository head` entries

[andreasabel]

E.g. this one: https://hackage.haskell.org/package/pipes-zlib-0.4.4.2/pipes-zlib.cabal

source-repository head
    type: git
    location: https://github.com/k0001/pipes-zlib.git

...lots of stuff...

source-repository head
  type:     git
  location: https://github.com/githubuser/twio

When you do cabal get -s pipes-zlib you see no error either, it somehow decides on one of these sources.
(Likely on the first one, because the second does not exist.)

I can see how this could maybe be exploited, tricking developers to download and run malicious code, by sneaking in an evil source-repository stanza that is overlooked. (E.g. by a malicious hackage trustee or co-uploader.)

hackage-server should not rely on cabal check or sdist catching this but refute such packages.

One wonders how such bugs arise in the first place, likely by violation of the parse don't validate principle.

[gbaz]

I don't think hackage-server should do any checking on top of cabal check -- it would be an entirely new mechanism to add. I also don't think you can add source-repository stanzas by revision?

[andreasabel]

I don't think hackage-server should do any checking on top of cabal check -- it would be an entirely new mechanism to add.

As I understand, hackage-server uses the cabal check (possibly with some configuration), so I think we should make sure the latter is correct in the version of Cabal we are linking to here.

I also don't think you can add source-repository stanzas by revision?

It looks like you can:

$ hackage-cli push-cabal pipes-zlib.cabal --incr-rev

Pushing "pipes-zlib.cabal" (pipes-zlib-0.4.4.2~1) [review-mode] ...
Hackage response was (after 0.742 secs):
Changes:

• Added source-repository

                      `source-repository head
  

  type: git
  location: https://github.com/andreasabel/black-ops