-
Notifications
You must be signed in to change notification settings - Fork 105
fix: improve logging around packages_to_install #269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -268,6 +268,7 @@ def get_script_for_python_packages( | |||||
| # first url will be the index-url. | ||||||
| options = [f"--index-url {pip_index_urls[0]}"] | ||||||
| options.extend(f"--extra-index-url {extra_index_url}" for extra_index_url in pip_index_urls[1:]) | ||||||
| options_str = " ".join(options) | ||||||
|
|
||||||
| header_script = textwrap.dedent( | ||||||
| """ | ||||||
|
|
@@ -278,18 +279,29 @@ def get_script_for_python_packages( | |||||
| """ | ||||||
| ) | ||||||
|
|
||||||
| script_for_python_packages = ( | ||||||
| header_script | ||||||
| + "PIP_DISABLE_PIP_VERSION_CHECK=1 python -m pip install --quiet " | ||||||
| + "--no-warn-script-location {} --user {}".format( | ||||||
| " ".join(options), | ||||||
| packages_str, | ||||||
| ) | ||||||
| + " ||\nPIP_DISABLE_PIP_VERSION_CHECK=1 python -m pip install --quiet " | ||||||
| + "--no-warn-script-location {} {}\n".format( | ||||||
| " ".join(options), | ||||||
| packages_str, | ||||||
| ) | ||||||
| # First try per-user installation, then fall back to system-wide installation. | ||||||
| # Pip output is captured to a log file and only printed when both attempts fail; | ||||||
| # on success we emit a single concise confirmation line. | ||||||
| script_for_python_packages = header_script + textwrap.dedent( | ||||||
| f""" | ||||||
| PACKAGES="{packages_str}" | ||||||
| PIP_OPTS="{options_str}" | ||||||
|
Comment on lines
+287
to
+288
|
||||||
| LOG_FILE=/tmp/pip_install.log | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What if /tmp directory doesn't exist, shall we just use ? |
||||||
| rm -f "$LOG_FILE" | ||||||
|
|
||||||
| if PIP_DISABLE_PIP_VERSION_CHECK=1 python -m pip install --quiet \\ | ||||||
| --no-warn-script-location $PIP_OPTS --user $PACKAGES >"$LOG_FILE" 2>&1; then | ||||||
| echo "Successfully installed Python packages: $PACKAGES" | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe we should say?
Suggested change
|
||||||
| elif PIP_DISABLE_PIP_VERSION_CHECK=1 python -m pip install --quiet \\ | ||||||
| --no-warn-script-location $PIP_OPTS $PACKAGES >>"$LOG_FILE" 2>&1; then | ||||||
| echo "Successfully installed Python packages: $PACKAGES" | ||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
| else | ||||||
| echo "ERROR: Failed to install Python packages: $PACKAGES" >&2 | ||||||
| cat "$LOG_FILE" >&2 | ||||||
|
Comment on lines
+299
to
+300
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. shall we have exit 1 here?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we should, updated.
Comment on lines
292
to
300
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Looks like we overwrite the first attempt's output with the second. Can we append the second output?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good catch, updated now |
||||||
| exit 1 | ||||||
| fi | ||||||
|
|
||||||
| """ | ||||||
| ) | ||||||
|
|
||||||
| return script_for_python_packages | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Command injection vulnerability: pip_index_urls are embedded in shell options without escaping. A malicious URL like 'https://evil.com"; rm -rf / #' could break out of the quotes and execute arbitrary commands. Apply shlex.quote() to each URL when building options: options = [f"--index-url {shlex.quote(pip_index_urls[0])}"] and similarly for extra-index-url.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, tho.
@kubeflow/kubeflow-sdk-team @kubeflow/wg-pipeline-leads Do we know if we have the same CVE in KFP Client upstream?