Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: block tgz #763

Merged
merged 2 commits into from
Feb 27, 2025
Merged

fix: block tgz #763

merged 2 commits into from
Feb 27, 2025

Conversation

elrrrrrrr
Copy link
Member

@elrrrrrrr elrrrrrrr commented Feb 27, 2025
edited by coderabbitai bot
Loading

The tgz download interface does not check if the package is blocked, which may pose additional risks for parsing package-lock.json or other lock files. exp

  1. 🛡️ Add validation logic for DownloadPackageVersionTarController#download to check if the package is allowed to be downloaded.
  2. 🧶 Add PackageVersionService#findBlockInfo to check if the corresponding package is blocked.
  3. ♻️ When a single version is blocked, skip check as per the current manifest logic.

tgz 下载接口没有判断包是否被 block,对于 package-lock.json 或者其他依赖锁文件解析可能会有额外风险,exp

  1. 🛡️ DownloadPackageVersionTarController#download 接口新增校验逻辑,判断是否允许下载
  2. 🧶 新增 PackageVersionService#findBlockInfo 判断对应包是否被全局拦截
  3. ♻️ 单版本被 block 时,考虑到误封场景,按目前 manifest 逻辑,不在 tgz 下载时进行拦截操作

Summary by CodeRabbit

  • New Features

    • Enhanced the package download process with an additional block check. Now, if a package is flagged, the download will be halted and a clear error response is returned to inform users of the block.
    • Introduced a method to retrieve block information related to package versions, improving the service's capabilities.

  • Tests

    • Added new test cases to verify the blocking functionality for package downloads, ensuring the application correctly handles requests for blocked packages.

@elrrrrrrr elrrrrrrr added the bug Something isn't working label Feb 27, 2025
@elrrrrrrr elrrrrrrr requested review from fengmk2 and killagu February 27, 2025 05:42
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 27, 2025
edited
Loading

Walkthrough

This PR introduces new dependencies and logic to handle package blocking. The PackageVersionService class now integrates repository dependencies and adds a new method for retrieving block information. The download controller has been updated to check for package blocks before downloading, and error handling is applied when a package is blocked. The test suite is expanded with scenarios that verify the blocking behavior by simulating blocked package responses with a 451 status code.

Changes

Files Changes Summary
app/core/service/PackageVersionService.ts Added import of PackageRepository and PackageJSONType, injected two new members (packageRepository, packageVersionBlockRepository), and introduced an async findBlockInfo(fullname: string) method.
app/port/controller/package/DownloadPackageVersionTar.ts Injected new dependency PackageVersionService and modified the download method to check for blocking information. Removed the direct fetch of package entity and added error handling for blocked packages.
test/port/controller/package/DownloadPackageVersionTarController.test.ts Introduced new dependency PackageManagerService in tests and added three test cases verifying the blocked package responses (451 status) for both download() and deprecatedDownload() methods.

Possibly related PRs

  • fix: sync block #700: Relates to handling package blocks by integrating block info retrieval in the PackageSearchService, showing similar blocking logic as implemented in this PR.

Suggested reviewers

  • fengmk2
  • Beace

Poem

I'm a happy rabbit, on the code I do hop,
Adding new features, making bugs drop.
With block checks and tests, our logic is neat,
Jumping through conditions, avoiding defeat.
A few lines of code make our system complete,
Hooray for these changes — a truly joyful leap!
🐇💻

Warning

There were issues while running some tools. Please review the errors and either fix the tool’s configuration or disable the tool if it’s a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

app/port/controller/package/DownloadPackageVersionTar.ts

Oops! Something went wrong! :(

ESLint: 8.57.1

ESLint couldn't find the plugin "eslint-plugin-eggache".

(The package "eslint-plugin-eggache" was not found when loaded as a Node module from the directory "".)

It's likely that the plugin isn't installed correctly. Try reinstalling by running the following:

npm install eslint-plugin-eggache@latest --save-dev

The plugin "eslint-plugin-eggache" was referenced from the config file in ".eslintrc » eslint-config-egg/typescript » ./index.js".

If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team.

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 56135e5 and b94557e.

📒 Files selected for processing (1)
  • app/port/controller/package/DownloadPackageVersionTar.ts (3 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • app/port/controller/package/DownloadPackageVersionTar.ts
⏰ Context from checks skipped due to timeout of 90000ms (10)
  • GitHub Check: test-mysql57-fs-nfs (22, ubuntu-latest)
  • GitHub Check: test-mysql57-fs-nfs (20, ubuntu-latest)
  • GitHub Check: test-postgresql-fs-nfs (22, ubuntu-latest)
  • GitHub Check: test-mysql57-fs-nfs (18, ubuntu-latest)
  • GitHub Check: test-postgresql-fs-nfs (20, ubuntu-latest)
  • GitHub Check: test-mysql57-fs-nfs (18.20.0, ubuntu-latest)
  • GitHub Check: test-postgresql-fs-nfs (18, ubuntu-latest)
  • GitHub Check: test-postgresql-fs-nfs (18.20.0, ubuntu-latest)
  • GitHub Check: Analyze (typescript)
  • GitHub Check: Analyze (javascript)

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@elrrrrrrr elrrrrrrr changed the title feat: block tgz fix: block tgz Feb 27, 2025
coderabbitai[bot]
coderabbitai bot reviewed Feb 27, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ae88145 and c6be752.

📒 Files selected for processing (3)
  • app/core/service/PackageVersionService.ts (3 hunks)
  • app/port/controller/package/DownloadPackageVersionTar.ts (3 hunks)
  • test/port/controller/package/DownloadPackageVersionTarController.test.ts (5 hunks)
🧰 Additional context used
🪛 GitHub Check: test-postgresql-fs-nfs (22, ubuntu-latest)
app/core/service/PackageVersionService.ts

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-postgresql-fs-nfs (20, ubuntu-latest)
app/core/service/PackageVersionService.ts

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-mysql57-fs-nfs (22, ubuntu-latest)
app/core/service/PackageVersionService.ts

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-mysql57-fs-nfs (20, ubuntu-latest)
app/core/service/PackageVersionService.ts

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-postgresql-fs-nfs (18, ubuntu-latest)
app/core/service/PackageVersionService.ts

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-mysql57-fs-nfs (18, ubuntu-latest)
app/core/service/PackageVersionService.ts

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-postgresql-fs-nfs (18.20.0, ubuntu-latest)
app/core/service/PackageVersionService.ts

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-mysql57-fs-nfs (18.20.0, ubuntu-latest)
app/core/service/PackageVersionService.ts

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Actions: Node.js CI
app/core/service/PackageVersionService.ts

[error] 127-127: ESLint: A space is required after '[' (array-bracket-spacing)

⏰ Context from checks skipped due to timeout of 90000ms (2)
  • GitHub Check: Analyze (typescript)
  • GitHub Check: Analyze (javascript)
🔇 Additional comments (7)
app/port/controller/package/DownloadPackageVersionTar.ts (2)

61-69: Review of block check implementation.

The implementation properly checks for package blocking before proceeding with the download. It correctly handles error messaging and sets appropriate headers.

A couple of observations:

  1. The comment "block tgz only all versions have been blocked" suggests this is a package-level block, not a version-specific block
  2. The code correctly follows the "fail fast" principle by checking for blocks early in the flow

22-22: Dependencies are properly injected.

The PackageVersionService import and injection are correctly implemented.

Also applies to: 34-35

test/port/controller/package/DownloadPackageVersionTarController.test.ts (4)

7-7: Test setup is properly prepared.

The test correctly imports and initializes the PackageManagerService. The explicit unblocking in the beforeEach setup ensures tests start with a clean state, which is good practice.

Also applies to: 12-12, 16-16, 45-45

64-70: Test case for blocking functionality is well-designed.

This test case properly verifies that a blocked package returns a 451 status code with an appropriate error message when using the main download endpoint.

353-359: Test case for blocking via deprecated download path.

This test correctly verifies the blocking functionality works with the deprecated download path.

409-415: Test case for blocking via Verdaccio-style path.

This test verifies that the blocking functionality works with the Verdaccio-style path, ensuring comprehensive coverage of all download endpoints.

app/core/service/PackageVersionService.ts (1)

8-8: Dependencies are properly imported and injected.

The required repositories are correctly imported and injected into the service.

Also applies to: 11-11, 20-24

app/core/service/PackageVersionService.ts Outdated
Comment on lines 126 to 133
async findBlockInfo(fullname: string) {
const [scope, name] = getScopeAndName(fullname);
const pkg = await this.packageRepository.findPackage(scope, name);
if (!pkg) {
return null;
}
return await this.packageVersionBlockRepository.findPackageBlock(pkg.packageId);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Fix linting issues with array bracket spacing.

The implementation of findBlockInfo looks correct, but there's a linting issue with the array bracket spacing according to the static analysis and pipeline failures.

Apply this fix to resolve the linting issue:

- const [scope, name] = getScopeAndName(fullname);
+ const [ scope, name ] = getScopeAndName(fullname);
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
async findBlockInfo(fullname: string) {
const [scope, name] = getScopeAndName(fullname);
const pkg = await this.packageRepository.findPackage(scope, name);
if (!pkg) {
return null;
}
return await this.packageVersionBlockRepository.findPackageBlock(pkg.packageId);
}
async findBlockInfo(fullname: string) {
- const [scope, name] = getScopeAndName(fullname);
+ const [ scope, name ] = getScopeAndName(fullname);
const pkg = await this.packageRepository.findPackage(scope, name);
if (!pkg) {
return null;
}
return await this.packageVersionBlockRepository.findPackageBlock(pkg.packageId);
}
🧰 Tools
🪛 GitHub Check: test-postgresql-fs-nfs (22, ubuntu-latest)

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-postgresql-fs-nfs (20, ubuntu-latest)

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-mysql57-fs-nfs (22, ubuntu-latest)

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-mysql57-fs-nfs (20, ubuntu-latest)

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-postgresql-fs-nfs (18, ubuntu-latest)

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-mysql57-fs-nfs (18, ubuntu-latest)

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-postgresql-fs-nfs (18.20.0, ubuntu-latest)

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Check: test-mysql57-fs-nfs (18.20.0, ubuntu-latest)

[failure] 127-127:
A space is required after '['

[failure] 127-127:
A space is required before ']'

🪛 GitHub Actions: Node.js CI

[error] 127-127: ESLint: A space is required after '[' (array-bracket-spacing)

fengmk2
fengmk2 approved these changes Feb 27, 2025
View reviewed changes
Copy link
Member

@fengmk2 fengmk2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ci 需要修复一下

@fengmk2 fengmk2 enabled auto-merge (squash) February 27, 2025 06:16
@codecov Codecov
Copy link

codecov bot commented Feb 27, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.43%. Comparing base (2780c53) to head (b94557e).
Report is 15 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #763      +/-   ##
==========================================
+ Coverage   96.33%   96.43%   +0.10%     
==========================================
  Files         191      192       +1     
  Lines       19070    19306     +236     
  Branches     2483     2526      +43     
==========================================
+ Hits        18371    18618     +247     
+ Misses        699      688      -11

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@fengmk2 fengmk2 merged commit 3054577 into master Feb 27, 2025
18 of 19 checks passed
@fengmk2 fengmk2 deleted the feat-block-tgz branch February 27, 2025 06:43
fengmk2 pushed a commit that referenced this pull request Feb 27, 2025
@semantic-release-bot
Release 3.74.2
47da2f4 
[skip ci]

## [3.74.2](v3.74.1...v3.74.2) (2025-02-27)

### Bug Fixes

* block tgz ([#763](#763)) ([3054577](3054577))
@fengmk2
Copy link
Member

fengmk2 commented Feb 27, 2025

@elrrrrrrr 你来部署一下呗

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@fengmk2 fengmk2 fengmk2 approved these changes

@killagu killagu Awaiting requested review from killagu

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@elrrrrrrr @fengmk2