[pull] master from DataDog:master#598
Merged
Merged
Conversation
…23937) * Harden v2 downloader: lock in delegation-agnostic contract and tighten pointer validation The v2 TUF pointer downloader already routes every target lookup through `Updater.get_targetinfo(target_path)`, so python-tuf walks delegations on its own based on the `paths` or `path_hash_prefixes` declared in the parent Targets metadata. There is no need for the downloader to know any delegated-role name. Make that contract explicit and lock it in with tests so it can't regress when the production repository's delegation layout evolves. Implementation: - Document the delegation-agnostic design at the module level. - Tighten `_validate_pointer` to reject obvious wheel_path attacks (`//` scheme bypass, `..` segments, non-canonical paths) and enforce the expected types and shapes for `digest` (64-char lowercase hex) and `length` (non-negative int, not bool). Tests: - Add `TestUpdaterContract` asserting `get_targetinfo` is called with the target path alone (no role kwarg, no role-prefixed path). - Add `TestDelegationTraversal` that stands up a real signed v2-style TUF repository with one delegated targets role (over a local HTTP server) and verifies `get_pointer` resolves through both `paths` and `path_hash_prefixes` delegations without the downloader naming the role. Also verifies unmatched paths surface as `TargetNotFoundError`. - Extend `TestMalformedPointer` with path-traversal/scheme-bypass cases, digest/length type and shape checks, a zero-length-wheel happy path, and a forward-compatibility test for unknown pointer keys. * Add changelog entry * Use integrations prefix for v2 pointer targets * Version v2 pointer target namespace * Trim v2 downloader test docstrings * Fix v2 downloader test import order * Extract v2 pointer target contract constants * Use wheelsmith v2 target namespace * Address v2 downloader review feedback * Handle malformed non-object v2 pointers
The new metric added in the agent is named `limits` with an s. same goes for requests. Signed-off-by: Alexandre Lavigne <alexandre.lavigne@datadoghq.com>
* Update current_milestone to 7.82.0 * Update build_agent.yaml --------- Co-authored-by: NouemanKHAL <noueman.khalikine@datadoghq.com>
* Document Agent v7.80 windows_certificate tag flags Expand the Tags section of the windows_certificate README to describe the six opt-in flags added in Agent v7.80 (datadog-agent#49740) and the tags each flag emits. * Update windows_certificate/README.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --------- Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> Co-authored-by: NouemanKHAL <noueman.khalikine@datadoghq.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )