-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recognize "403 forbidden" error from pip command output, and clasiffy it as "forbidden" error type #1225
Conversation
for k, v := range pc.GetEnv() { | ||
if err := os.Setenv(k, v); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
cmd := pc.GetCmd() | ||
errBuffer := bytes.NewBuffer([]byte{}) | ||
multiWriter := io.MultiWriter(os.Stderr, errBuffer) | ||
cmd.Stderr = multiWriter | ||
cmd.Stdout = os.Stdout | ||
|
||
err = cmd.Run() | ||
if err != nil { | ||
if buildInfoUtils.IsForbiddenOutput("pip", errBuffer.String()) { | ||
err = errors.Join(err, buildInfoUtils.NewForbiddenError()) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The above code should be mioved into in the build-info-go module. If it isn't place there, this functionality will not work for Pythin when collecting build-info.
It is true that when not collecting build-info for python, the code flow ends here and doesn't continue into build-info-go, but having this code there, will allow you to invoke it from here as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In case we collect build info, the whole "install" execution have different logic which apparently adding the stderr to the err returned from the execution (which was missing in case we don't collect build-info), so in this case it will work in the flow of pip install + collecting dependencies for build-info, In security wrapper we recognize either a 403 in the error string OR forbidden type error.
I don't want to use the same logic to run installation command for the build info, as it can break existing behavior, which I avoided in this PRs.
Description:
After running "pip " and encountering an error, we examine the output from stderr. If the output includes a "403 Forbidden", we wrap the error with a specific error type for "Forbidden 403." This error type will be recognized later by post actions, such as curation.