-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[allow-insecure] Allow insecure packages with --allow-insecure flag #1265
Changes from 7 commits
0a7a0e2
801257c
0272487
a6b65f5
be2a028
23ba95a
3fb1ac2
0599c2f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,4 +22,4 @@ | |
"nixpkgs": { | ||
"commit": "3364b5b117f65fe1ce65a3cdd5612a078a3b31e3" | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{ | ||
"packages": [ | ||
"nodejs@16" | ||
], | ||
"shell": { | ||
"init_hook": [ | ||
"echo 'Welcome to devbox!' > /dev/null" | ||
], | ||
"scripts": { | ||
"run_test": [ | ||
"node --version" | ||
] | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"lockfile_version": "1", | ||
"packages": { | ||
"nodejs@16": { | ||
"allow_insecure": true, | ||
"last_modified": "2023-06-29T16:20:38Z", | ||
"resolved": "github:NixOS/nixpkgs/3c614fbc76fc152f3e1bc4b2263da6d90adf80fb#nodejs_16", | ||
"source": "devbox-search", | ||
"version": "16.20.1" | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,8 +40,19 @@ func (d *Devbox) Add(ctx context.Context, pkgsNames ...string) error { | |
|
||
// Only add packages that are not already in config. If same canonical exists, | ||
// replace it. | ||
pkgs := []*devpkg.Package{} | ||
for _, pkg := range devpkg.PackageFromStrings(lo.Uniq(pkgsNames), d.lockfile) { | ||
pkgs := devpkg.PackageFromStrings(lo.Uniq(pkgsNames), d.lockfile) | ||
for _, pkg := range pkgs { | ||
// Resolving here ensures we allow insecure before running ensurePackagesAreInstalled | ||
// which will call print-dev-env. Resolving does not save the lockfile, we | ||
// save at the end when everything has succeeded. | ||
p, err := d.lockfile.Resolve(pkg.Raw) | ||
if err != nil { | ||
return err | ||
} | ||
if d.allowInsecureAdds { | ||
p.AllowInsecure = true | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So this will add allow insecure field to all the packages in the add command, even though some of them may not need allow insecure? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah. The idea is that the flag affects all packages being added in that command. e.g.
I think this is a reasonable tradeoff, otherwise we probably end up needing a new cli command e.g. |
||
} | ||
|
||
// If exact versioned package is already in the config, skip. | ||
if slices.Contains(d.cfg.Packages, pkg.Versioned()) { | ||
continue | ||
|
@@ -64,6 +75,7 @@ func (d *Devbox) Add(ctx context.Context, pkgsNames ...string) error { | |
if err == nil && ok { | ||
d.cfg.Packages = append(d.cfg.Packages, pkg.Versioned()) | ||
} else { | ||
// TODO (landau): use nix.Search to check if this package exists | ||
// fallthrough and treat package as a legacy package. | ||
d.cfg.Packages = append(d.cfg.Packages, pkg.Raw) | ||
} | ||
|
@@ -88,9 +100,7 @@ func (d *Devbox) Add(ctx context.Context, pkgsNames ...string) error { | |
} | ||
} | ||
|
||
if err := d.lockfile.Add( | ||
lo.Map(pkgs, func(pkg *devpkg.Package, _ int) string { return pkg.Raw })..., | ||
); err != nil { | ||
if err := d.lockfile.Save(); err != nil { | ||
return err | ||
} | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
package nix | ||
|
||
import ( | ||
"encoding/json" | ||
"os" | ||
"strconv" | ||
) | ||
|
||
func EvalPackageName(path string) (string, error) { | ||
cmd := command("eval", "--raw", path+".name") | ||
out, err := cmd.Output() | ||
if err != nil { | ||
return "", err | ||
} | ||
return string(out), nil | ||
} | ||
|
||
// PackageIsInsecure is a fun little nix eval that maybe works. | ||
func PackageIsInsecure(path string) bool { | ||
cmd := command("eval", path+".meta.insecure") | ||
out, err := cmd.Output() | ||
if err != nil { | ||
// We can't know for sure, but probably not. | ||
return false | ||
} | ||
var insecure bool | ||
if err := json.Unmarshal(out, &insecure); err != nil { | ||
// We can't know for sure, but probably not. | ||
return false | ||
} | ||
return insecure | ||
} | ||
|
||
func PackageKnownVulnerabilities(path string) []string { | ||
cmd := command("eval", path+".meta.knownVulnerabilities") | ||
out, err := cmd.Output() | ||
if err != nil { | ||
// We can't know for sure, but probably not. | ||
return nil | ||
} | ||
var vulnerabilities []string | ||
if err := json.Unmarshal(out, &vulnerabilities); err != nil { | ||
// We can't know for sure, but probably not. | ||
return nil | ||
} | ||
return vulnerabilities | ||
} | ||
|
||
func AllowInsecurePackages() { | ||
os.Setenv("NIXPKGS_ALLOW_INSECURE", "1") | ||
} | ||
|
||
func IsInsecureAllowed() bool { | ||
allowed, _ := strconv.ParseBool(os.Getenv("NIXPKGS_ALLOW_INSECURE")) | ||
return allowed | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,11 +10,13 @@ import ( | |
"os" | ||
"os/exec" | ||
"path/filepath" | ||
"regexp" | ||
"runtime/trace" | ||
"strings" | ||
|
||
"github.com/pkg/errors" | ||
"go.jetpack.io/devbox/internal/boxcli/featureflag" | ||
"go.jetpack.io/devbox/internal/boxcli/usererr" | ||
|
||
"go.jetpack.io/devbox/internal/debug" | ||
) | ||
|
@@ -69,7 +71,9 @@ func (*Nix) PrintDevEnv(ctx context.Context, args *PrintDevEnvArgs) (*PrintDevEn | |
cmd.Args = append(cmd.Args, "--json") | ||
debug.Log("Running print-dev-env cmd: %s\n", cmd) | ||
data, err = cmd.Output() | ||
if err != nil { | ||
if insecure, insecureErr := isExitErrorInsecurePackage(err); insecure { | ||
return nil, insecureErr | ||
} else if err != nil { | ||
return nil, errors.Wrapf(err, "Command: %s", cmd) | ||
} | ||
|
||
|
@@ -120,6 +124,7 @@ func System() (string, error) { | |
// For Savil to debug "remove nixpkgs" feature. The Search api lacks x86-darwin info. | ||
// So, I need to fake that I am x86-linux and inspect the output in generated devbox.lock | ||
// and flake.nix files. | ||
// This is also used by unit tests. | ||
override := os.Getenv("__DEVBOX_NIX_SYSTEM") | ||
if override != "" { | ||
return override, nil | ||
|
@@ -144,3 +149,19 @@ func System() (string, error) { | |
func ProfileBinPath(projectDir string) string { | ||
return filepath.Join(projectDir, ProfilePath, "bin") | ||
} | ||
|
||
func isExitErrorInsecurePackage(err error) (bool, error) { | ||
var exitErr *exec.ExitError | ||
if errors.As(err, &exitErr) && exitErr.ExitCode() == 1 { | ||
if strings.Contains(string(exitErr.Stderr), "is marked as insecure") { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 😭 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yeah this is not the best. An alternative is to loop though all packages and check if any of them are insecure, that would make errors much slower so it's a tradeoff. |
||
re := regexp.MustCompile(`Package ([^ ]+)`) | ||
match := re.FindStringSubmatch(string(exitErr.Stderr)) | ||
return true, usererr.New( | ||
"Package %s is insecure. \n\n"+ | ||
"To override use `devbox add <pkg> --allow-insecure`", | ||
match[0], | ||
) | ||
} | ||
} | ||
return false, nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this error for the fallthrough case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch. Will test and fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This works, because in the fallthrough case resolve works fine. It actually enters non-fallthrough packages twice (and then cleans it up when
lock.Tidy()
is called). I'm gonna see if I can make this better.