Recognize "403 forbidden" error from pip command output, and clasiffy it as "forbidden" error type #1225
Conversation
asafambar
changed the title
| for k, v := range pc.GetEnv() { | ||
| if err := os.Setenv(k, v); err != nil { | ||
| return err | ||
| } | ||
| } | ||
|
|
||
| cmd := pc.GetCmd() | ||
| errBuffer := bytes.NewBuffer([]byte{}) | ||
| multiWriter := io.MultiWriter(os.Stderr, errBuffer) | ||
| cmd.Stderr = multiWriter | ||
| cmd.Stdout = os.Stdout | ||
|
|
||
| err = cmd.Run() | ||
| if err != nil { | ||
| if buildInfoUtils.IsForbiddenOutput("pip", errBuffer.String()) { | ||
| err = errors.Join(err, buildInfoUtils.NewForbiddenError()) | ||
| } | ||
| } |
There was a problem hiding this comment.
The above code should be mioved into in the build-info-go module. If it isn't place there, this functionality will not work for Pythin when collecting build-info.
It is true that when not collecting build-info for python, the code flow ends here and doesn't continue into build-info-go, but having this code there, will allow you to invoke it from here as well.
There was a problem hiding this comment.
In case we collect build info, the whole "install" execution have different logic which apparently adding the stderr to the err returned from the execution (which was missing in case we don't collect build-info), so in this case it will work in the flow of pip install + collecting dependencies for build-info, In security wrapper we recognize either a 403 in the error string OR forbidden type error.
I don't want to use the same logic to run installation command for the build info, as it can break existing behavior, which I avoided in this PRs.
Description:
After running "pip " and encountering an error, we examine the output from stderr. If the output includes a "403 Forbidden", we wrap the error with a specific error type for "Forbidden 403." This error type will be recognized later by post actions, such as curation.