Block registration of 'ultranormalized' names (pypi#10498)

* Block registration of 'ultranormalized' names

* Create an index over ultranormalize_name

* Update warehouse/migrations/versions/d18d443f89f0_ultranormalize_name_function.py

* update help, differentiate message for ultranormalized collisions

Co-authored-by: Ee Durbin <[email protected]>

Author: 2 people

tests/unit/forklift/test_legacy.py

@@ -1043,6 +1043,57 @@ def test_fails_with_invalid_names(self, pyramid_config, db_request, name):
             "for more information."
         ).format(name)
 
+    @pytest.mark.parametrize(
+        "conflicting_name",
+        [
+            "toast1ng",
+            "toastlng",
+            "t0asting",
+            "toast-ing",
+            "toast.ing",
+            "toast_ing",
+        ],
+    )
+    def test_fails_with_ultranormalized_names(
+        self, pyramid_config, db_request, conflicting_name
+    ):
+        pyramid_config.testing_securitypolicy(userid=1)
+        user = UserFactory.create()
+        EmailFactory.create(user=user)
+        ProjectFactory.create(name="toasting")
+        db_request.user = user
+        db_request.db.flush()
+
+        db_request.POST = MultiDict(
+            {
+                "metadata_version": "1.2",
+                "name": conflicting_name,
+                "version": "1.0",
+                "filetype": "sdist",
+                "md5_digest": "a fake md5 digest",
+                "content": pretend.stub(
+                    filename=f"{conflicting_name}-1.0.tar.gz",
+                    file=io.BytesIO(_TAR_GZ_PKG_TESTDATA),
+                    type="application/tar",
+                ),
+            }
+        )
+
+        db_request.help_url = pretend.call_recorder(lambda **kw: "/the/help/url/")
+
+        with pytest.raises(HTTPBadRequest) as excinfo:
+            legacy.file_upload(db_request)
+
+        resp = excinfo.value
+
+        assert db_request.help_url.calls == [pretend.call(_anchor="project-name")]
+
+        assert resp.status_code == 400
+        assert resp.status == (
+            "400 The name {!r} is too similar to an existing project. "
+            "See /the/help/url/ for more information."
+        ).format(conflicting_name)
+
     @pytest.mark.parametrize(
         ("description_content_type", "description", "message"),
         [

warehouse/forklift/legacy.py

@@ -913,14 +913,16 @@ def file_upload(request):
                 ).format(projecthelp=request.help_url(_anchor="admin-intervention")),
             ) from None
 
-        # Before we create the project, we're going to check our prohibited names to
-        # see if this project is even allowed to be registered. If it is not,
+        # Before we create the project, we're going to check our prohibited
+        # names to see if this project name prohibited, or if the project name
+        # is a close approximation of an existing project name. If it is,
         # then we're going to deny the request to create this project.
-        if request.db.query(
+        _prohibited_name = request.db.query(
             exists().where(
                 ProhibitedProjectName.name == func.normalize_pep426_name(form.name.data)
             )
-        ).scalar():
+        ).scalar()
+        if _prohibited_name:
             raise _exc_with_message(
                 HTTPBadRequest,
                 (
@@ -932,6 +934,24 @@ def file_upload(request):
                 ),
             ) from None
 
+        _ultranormalize_collision = request.db.query(
+            exists().where(
+                func.ultranormalize_name(Project.name)
+                == func.ultranormalize_name(form.name.data)
+            )
+        ).scalar()
+        if _ultranormalize_collision:
+            raise _exc_with_message(
+                HTTPBadRequest,
+                (
+                    "The name {name!r} is too similar to an existing project. "
+                    "See {projecthelp} for more information."
+                ).format(
+                    name=form.name.data,
+                    projecthelp=request.help_url(_anchor="project-name"),
+                ),
+            ) from None
+
         # Also check for collisions with Python Standard Library modules.
         if packaging.utils.canonicalize_name(form.name.data) in STDLIB_PROHIBITED:
             raise _exc_with_message(