Monkeypatch the CFFI Verifier to prevent the implicit compile

2 files changed, 25 insertions, 0 deletions

diff --git a/src/cryptography/hazmat/bindings/utils.py b/src/cryptography/hazmat/bindings/utils.py
index 55b61292..ca2d91ae 100644
--- a/src/cryptography/hazmat/bindings/utils.py
+++ b/src/cryptography/hazmat/bindings/utils.py
@@ -124,9 +124,20 @@ def build_ffi(cdef_source, verify_source, libraries=[], extra_compile_args=[],
         extra_compile_args=extra_compile_args,
         extra_link_args=extra_link_args,
     )
+
+    ffi.verifier.compile_module = _compile_module
+    ffi.verifier._compile_module = _compile_module
+
     return ffi
 
 
+def _compile_module(*args, **kwargs):
+    raise RuntimeError(
+        "Attempted implicit compile of a cffi module. All cffi modules should "
+        "be pre-compiled at installation time."
+    )
+
+
 def _create_modulename(cdef_sources, source, sys_version):
     """
     cffi creates a modulename internally that incorporates the cffi version.
diff --git a/tests/hazmat/bindings/test_utils.py b/tests/hazmat/bindings/test_utils.py
index 3596cd1d..5d5c4af5 100644
--- a/tests/hazmat/bindings/test_utils.py
+++ b/tests/hazmat/bindings/test_utils.py
@@ -13,6 +13,11 @@
 
 from __future__ import absolute_import, division, print_function
 
+import binascii
+import os
+
+import pytest
+
 from cryptography.hazmat.bindings import utils
 
 
@@ -23,3 +28,12 @@ def test_create_modulename():
     assert name == "_Cryptography_cffi_bcba7f4bx4a14b588"
     name = utils._create_modulename(cdef_source, source, "3.2")
     assert name == "_Cryptography_cffi_a7462526x4a14b588"
+
+
+def test_implicit_compile_explodes():
+    # This uses a random comment to make sure each test gets its own hash
+    random_comment = binascii.hexlify(os.urandom(24))
+    ffi = utils.build_ffi("/* %s */" % random_comment, "")
+
+    with pytest.raises(RuntimeError):
+        ffi.verifier.load_library()