Skip to content

Commit

Permalink
fix(oci): include deny_executables.txt source into oci package (#10588)…
Browse files Browse the repository at this point in the history
… (#10605)

Backport of #10588 to 2.12.

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [x] Reviewer has checked that all the criteria below are met
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance

policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

---------

Co-authored-by: Emmett Butler <[email protected]>
(cherry picked from commit b0df996)
  • Loading branch information
brettlangdon authored Sep 10, 2024
1 parent 92a9704 commit ff992f5
Show file tree
Hide file tree
Showing 7 changed files with 20 additions and 70 deletions.
8 changes: 1 addition & 7 deletions .gitlab/prepare-oci-package.sh
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,4 @@ echo -n "$PYTHON_PACKAGE_VERSION" > sources/version

cp -r ../pywheels-dep/site-packages* sources/ddtrace_pkgs

cp ../lib-injection/sitecustomize.py sources/
cp ../min_compatible_versions.csv sources/
cp ../lib-injection/telemetry-forwarder.sh sources/

clean-apt install python3
echo "Deduplicating package files"
python3 ../lib-injection/dedupe.py sources/ddtrace_pkgs/
cp ../lib-injection/sources/* sources/
57 changes: 0 additions & 57 deletions lib-injection/dedupe.py

This file was deleted.

File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ def parse_version(version: str) -> Tuple:
return Version(parsed_version, constraint)


SCRIPT_DIR = os.path.dirname(__file__)
RUNTIMES_ALLOW_LIST = {
"cpython": {"min": parse_version("3.7"), "max": parse_version("3.13")},
}
Expand All @@ -39,8 +40,11 @@ def parse_version(version: str) -> Tuple:
PYTHON_RUNTIME = None
PKGS_ALLOW_LIST = None
EXECUTABLES_DENY_LIST = None
VERSION_COMPAT_FILE_LOCATIONS = ("../datadog-lib/min_compatible_versions.csv", "min_compatible_versions.csv")
EXECUTABLE_DENY_LOCATION = "denied_executables.txt"
VERSION_COMPAT_FILE_LOCATIONS = (
os.path.abspath(os.path.join(SCRIPT_DIR, "../datadog-lib/min_compatible_versions.csv")),
os.path.abspath(os.path.join(SCRIPT_DIR, "min_compatible_versions.csv")),
)
EXECUTABLE_DENY_LOCATION = os.path.abspath(os.path.join(SCRIPT_DIR, "denied_executables.txt"))


def build_installed_pkgs():
Expand Down Expand Up @@ -80,12 +84,15 @@ def build_min_pkgs():

def build_denied_executables():
denied_executables = set()
_log("Checking denied-executables list", level="debug")
if os.path.exists(EXECUTABLE_DENY_LOCATION):
with open(EXECUTABLE_DENY_LOCATION, "r") as denyfile:
_log("Found deny-list file", level="debug")
for line in denyfile.readlines():
cleaned = line.strip("\n")
denied_executables.add(cleaned)
denied_executables.add(os.path.basename(cleaned))
_log(f"Built denied-executables list of {len(denied_executables)} entries", level="debug")
return denied_executables


Expand Down Expand Up @@ -173,10 +180,13 @@ def package_is_compatible(package_name, package_version):


def get_first_incompatible_sysarg():
_log(f"Checking sysargs: len(argv): {len(sys.argv)}", level="debug")
if len(sys.argv) <= 1:
return
argument = sys.argv[0]
_log(f"Is argument {argument} in deny-list?", level="debug")
if argument in EXECUTABLES_DENY_LIST or os.path.basename(argument) in EXECUTABLES_DENY_LIST:
_log(f"argument {argument} is in deny-list", level="debug")
return argument


Expand All @@ -203,8 +213,7 @@ def _inject():
current_platform = "manylinux2014" if _get_clib() == "gnu" else "musllinux_1_1"
_log("detected platform %s" % current_platform, level="debug")

script_dir = os.path.dirname(__file__)
pkgs_path = os.path.join(script_dir, "ddtrace_pkgs")
pkgs_path = os.path.join(SCRIPT_DIR, "ddtrace_pkgs")
_log("ddtrace_pkgs path is %r" % pkgs_path, level="debug")
_log("ddtrace_pkgs contents: %r" % os.listdir(pkgs_path), level="debug")

Expand Down Expand Up @@ -308,8 +317,8 @@ def _inject():
# - Add the custom site-packages directory to PYTHONPATH to ensure the ddtrace package can be loaded
# - Add the ddtrace bootstrap dir to the PYTHONPATH to achieve the same effect as ddtrace-run.
python_path = os.getenv("PYTHONPATH", "").split(os.pathsep)
if script_dir in python_path:
python_path.remove(script_dir)
if SCRIPT_DIR in python_path:
python_path.remove(SCRIPT_DIR)
python_path.insert(-1, site_pkgs_path)
bootstrap_dir = os.path.abspath(os.path.dirname(ddtrace.bootstrap.sitecustomize.__file__))
python_path.insert(0, bootstrap_dir)
Expand Down
File renamed without changes.
4 changes: 4 additions & 0 deletions releasenotes/notes/fix-oci-denylist-080592ca52e45681.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
fixes:
- |
SSI: This fix ensures injection denylist is included in published OCI package.

0 comments on commit ff992f5

Please sign in to comment.