capture sensitive API calls during setuptools_build

R9295 · Jun 15, 2023 · 79a3548 · 79a3548
1 parent 8a1eea4
commit 79a3548
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 10 deletions.
diff --git a/src/pip/_internal/operations/build/metadata_legacy.py b/src/pip/_internal/operations/build/metadata_legacy.py
@@ -60,6 +60,8 @@ def generate_metadata(
 
     with build_env:
         with open_spinner("Preparing metadata (setup.py)") as spinner:
+            # to beautify
+            print("")
             try:
                 call_subprocess(
                     args,

diff --git a/src/pip/_internal/utils/setuptools_build.py b/src/pip/_internal/utils/setuptools_build.py
@@ -2,6 +2,42 @@
 import textwrap
 from typing import List, Optional, Sequence
 
+
+AUDIT_HOOK = textwrap.dedent("""'''
+def hook(event, args):
+    if event == "socket.getaddrinfo":
+        sys.stdout.write("REQUESTING " + event + " "+ str(args[0])+":"+str(args[1]) + os.linesep)
+        sys.stdout.flush()
+    elif event == "socket.connect":
+        sys.stdout.write("REQUESTING " + event + " "+ str(args[1][0])+":"+str(args[1][1]) + os.linesep)
+        sys.stdout.flush()
+    elif event == "open":
+        arg = str(args[0])
+        if ".ssh" in arg or "shadow" in arg or "passwd" in arg or ".config" in arg or '.env' in arg:
+          sys.stdout.write("REQUESTING "+ event +" "+ arg + os.linesep)
+          sys.stdout.flush()
+        else:
+          return
+    elif event == "os.system":
+        sys.stdout.write("REQUESTING: " + event+ " " + args[0].decode('utf-8') + os.linesep)
+        sys.stdout.flush()
+    elif event == "subprocess.call":
+        sys.stdout.write("REQUESTING: " + event+ " " + str(args[0]) + os.linesep)
+        sys.stdout.flush()
+    elif event == "subprocess.run":
+        sys.stdout.write("REQUESTING: " + event+ " " + str(args[0]) + os.linesep)
+        sys.stdout.flush()
+    elif event == "eval":
+        sys.stdout.write("REQUESTING: execution of arbitrary code" + os.linesep)
+        sys.stdout.flush()
+    else:
+        return
+    data = input()    
+    if data != "y":
+        sys.exit(1)
+
+sys.addaudithook(hook)
+'''""")
 # Shim to wrap setup.py invocation with setuptools
 # Note that __file__ is handled via two {!r} *and* %r, to ensure that paths on
 # Windows are correctly handled (it should be "C:\\Users" not "C:\Users").
@@ -18,7 +54,6 @@
     #     manifest_maker: standard file '-c' not found".
     # - It generates a shim setup.py, for handling setup.cfg-only projects.
     import os, sys, tokenize
-
     try:
         import setuptools
     except ImportError as error:
@@ -40,8 +75,9 @@
         filename = "<auto-generated setuptools caller>"
         setup_py_code = "from setuptools import setup; setup()"
 
+    %s
     exec(compile(setup_py_code, filename, "exec"))
-    ''' % ({!r},), "<pip-setuptools-caller>", "exec"))
+    ''' % ({!r}, {}), "<pip-setuptools-caller>", "exec"))
     """
 ).rstrip()
 
@@ -64,7 +100,7 @@ def make_setuptools_shim_args(
     args = [sys.executable]
     if unbuffered_output:
         args += ["-u"]
-    args += ["-c", _SETUPTOOLS_SHIM.format(setup_py_path)]
+    args += ["-c", _SETUPTOOLS_SHIM.format(setup_py_path, AUDIT_HOOK)]
     if global_options:
         args += global_options
     if no_user_config:

diff --git a/src/pip/_internal/utils/subprocess.py b/src/pip/_internal/utils/subprocess.py
@@ -160,26 +160,29 @@ def call_subprocess(
     if not stdout_only:
         assert proc.stdout
         assert proc.stdin
-        proc.stdin.close()
         # In this mode, stdout and stderr are in the same pipe.
         while True:
             line: str = proc.stdout.readline()
             if not line:
                 break
+            if 'REQUESTING' in line:
+                line_without_newline = line.replace('\n', '')
+                proc.stdout.flush()
+                data = input(f'Package is {line_without_newline}. (y)es or (n)o\n')
+                proc.stdin.write(data+'\n')
+                proc.stdin.flush()
+            else:
+                # Show the line immediately.
+                log_subprocess(line)
             line = line.rstrip()
             all_output.append(line + "\n")
 
-            # Show the line immediately.
-            log_subprocess(line)
-            # Update the spinner.
-            if use_spinner:
-                assert spinner
-                spinner.spin()
         try:
             proc.wait()
         finally:
             if proc.stdout:
                 proc.stdout.close()
+            proc.stdin.close()
         output = "".join(all_output)
     else:
         # In this mode, stdout and stderr are in different pipes.