From b09edd10453872d11cb2064ef0249d1661be4a0d Mon Sep 17 00:00:00 2001
From: Dustin Ingram <di@users.noreply.github.com>
Date: Mon, 22 Apr 2024 11:48:48 -0400
Subject: [PATCH] Handle invalid sdist filenames (#15830)

* Add a failing test

* Handle invalid sdist filenames
---
 tests/unit/forklift/test_legacy.py | 8 ++++++--
 warehouse/forklift/legacy.py       | 8 +++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/tests/unit/forklift/test_legacy.py b/tests/unit/forklift/test_legacy.py
index b521c523aaeb..5903de734636 100644
--- a/tests/unit/forklift/test_legacy.py
+++ b/tests/unit/forklift/test_legacy.py
@@ -2909,6 +2909,10 @@ def storage_service_store(path, file_path, *, meta):
                 "400 Invalid wheel filename (invalid version): "
                 "foo-0.0.4test1-py3-none-any",
             ),
+            (
+                "something.tar.gz",
+                "400 Invalid source distribution filename: something.tar.gz",
+            ),
         ],
     )
     def test_upload_fails_with_invalid_filename(
@@ -2932,8 +2936,8 @@ def test_upload_fails_with_invalid_filename(
                 "metadata_version": "1.2",
                 "name": project.name,
                 "version": release.version,
-                "filetype": "bdist_wheel",
-                "pyversion": "cp34",
+                "filetype": "bdist_wheel" if filename.endswith(".whl") else "sdist",
+                "pyversion": "cp34" if filename.endswith(".whl") else "source",
                 "md5_digest": hashlib.md5(filebody).hexdigest(),
                 "content": pretend.stub(
                     filename=filename,
diff --git a/warehouse/forklift/legacy.py b/warehouse/forklift/legacy.py
index c09f411d2567..8485e0795154 100644
--- a/warehouse/forklift/legacy.py
+++ b/warehouse/forklift/legacy.py
@@ -963,7 +963,13 @@ def file_upload(request):
             # enforcing this, so we permit a filename with a project name and
             # version that normalizes to be what we expect
 
-            name, version = packaging.utils.parse_sdist_filename(filename)
+            try:
+                name, version = packaging.utils.parse_sdist_filename(filename)
+            except packaging.utils.InvalidSdistFilename:
+                raise _exc_with_message(
+                    HTTPBadRequest,
+                    f"Invalid source distribution filename: {filename}",
+                )
 
             # The previous function fails to accomodate the edge case where
             # versions may contain hyphens, so we handle that here based on