kpfleming/pkg-proxy
1
0
Fork 0
forked from mirrors/pkg-proxy
Code Pull requests Activity
pkg-proxy/internal/handler/pypi.go

527 lines
15 KiB
Go
Raw Permalink Normal View History

Hello world
2026-01-20 21:52:44 +00:00
package handler
import (
"crypto/sha256"
"encoding/hex"
"encoding/json"
Fix metadata caching, 404 propagation, mirror progress, and registry stubs - ProxyCached now stores upstream Last-Modified in the cache and uses it (along with ETag) for conditional request handling, returning 304 when client validators match. Adds Content-Length to cached responses. - Handlers calling FetchOrCacheMetadata (pypi, composer, pub, nuget) now check for ErrUpstreamNotFound and return 404 instead of 502, matching the existing npm and cargo behavior. - Mirror jobs report live progress via a periodic callback while running, so API polls return real counts instead of zeroed progress. - Registry mirroring removed from CLI flags, API acceptance, README, and docs since every enumerator was a stub returning "not yet implemented". - Added tests for the conditional metadata path (ETag/If-None-Match, Last-Modified/If-Modified-Since, 304 responses, header omission).
2026-04-01 20:14:11 +01:00
"errors"
Hello world
2026-01-20 21:52:44 +00:00
"fmt"
"io"
"net/http"
"net/url"
"regexp"
"strings"
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
"time"
"github.com/git-pkgs/purl"
Hello world
2026-01-20 21:52:44 +00:00
)
const (
Apply 'go fmt' as suggested in CONTRIBUTING.md.
2026-04-18 07:43:22 -04:00
pypiUpstream = "https://pypi.org"
minWheelParts = 5 // name + version + python + abi + platform
minSubmatchParts = 2 // full match + first capture group
minPyPIPathParts = 3 // hash_prefix + hash + filename
minPythonTagLen = 2 // minimum length for a python tag (e.g., "py")
Hello world
2026-01-20 21:52:44 +00:00
)
// PyPIHandler handles PyPI registry protocol requests.
type PyPIHandler struct {
proxy *Proxy
upstreamURL string
proxyURL string
}
// NewPyPIHandler creates a new PyPI protocol handler.
func NewPyPIHandler(proxy *Proxy, proxyURL string) *PyPIHandler {
return &PyPIHandler{
proxy: proxy,
upstreamURL: pypiUpstream,
proxyURL: strings.TrimSuffix(proxyURL, "/"),
}
}
// Routes returns the HTTP handler for PyPI requests.
func (h *PyPIHandler) Routes() http.Handler {
mux := http.NewServeMux()
// Simple API (used by pip)
mux.HandleFunc("GET /simple/", h.handleSimpleIndex)
mux.HandleFunc("GET /simple/{name}/", h.handleSimplePackage)
// JSON API
mux.HandleFunc("GET /pypi/{name}/json", h.handleJSON)
mux.HandleFunc("GET /pypi/{name}/{version}/json", h.handleVersionJSON)
// Package downloads (cache these)
mux.HandleFunc("GET /packages/{path...}", h.handleDownload)
return mux
}
// handleSimpleIndex serves the simple API index.
func (h *PyPIHandler) handleSimpleIndex(w http.ResponseWriter, r *http.Request) {
// Just proxy the index through
h.proxySimple(w, r, "/simple/")
}
// handleSimplePackage serves the simple API package page with rewritten links.
func (h *PyPIHandler) handleSimplePackage(w http.ResponseWriter, r *http.Request) {
name := r.PathValue("name")
if name == "" {
http.Error(w, "invalid package name", http.StatusBadRequest)
return
}
h.proxy.Logger.Info("pypi simple request", "package", name)
upstreamURL := fmt.Sprintf("%s/simple/%s/", h.upstreamURL, name)
Add mirror command and API for selective package mirroring Add a `proxy mirror` CLI command and `/api/mirror` API endpoints that pre-populate the cache from various input sources: individual PURLs, SBOM files (CycloneDX and SPDX), or full registry enumeration. The mirror reuses the existing handler.Proxy.GetOrFetchArtifact() pipeline so cached artifacts are identical to those fetched on demand. A bounded worker pool controls download parallelism. Metadata caching is opt-in via `cache_metadata: true` in config (or PROXY_CACHE_METADATA=true). The mirror command always enables it. When enabled, upstream metadata responses are stored for offline fallback with ETag-based conditional revalidation. New internal/mirror package with Source interface, PURLSource, SBOMSource, RegistrySource, and async JobStore. New metadata_cache database table for offline metadata serving.
2026-03-19 21:06:02 +00:00
cacheKey := name + "/simple"
Hello world
2026-01-20 21:52:44 +00:00
Add mirror command and API for selective package mirroring Add a `proxy mirror` CLI command and `/api/mirror` API endpoints that pre-populate the cache from various input sources: individual PURLs, SBOM files (CycloneDX and SPDX), or full registry enumeration. The mirror reuses the existing handler.Proxy.GetOrFetchArtifact() pipeline so cached artifacts are identical to those fetched on demand. A bounded worker pool controls download parallelism. Metadata caching is opt-in via `cache_metadata: true` in config (or PROXY_CACHE_METADATA=true). The mirror command always enables it. When enabled, upstream metadata responses are stored for offline fallback with ETag-based conditional revalidation. New internal/mirror package with Source interface, PURLSource, SBOMSource, RegistrySource, and async JobStore. New metadata_cache database table for offline metadata serving.
2026-03-19 21:06:02 +00:00
body, _, err := h.proxy.FetchOrCacheMetadata(r.Context(), "pypi", cacheKey, upstreamURL, "text/html")
Hello world
2026-01-20 21:52:44 +00:00
if err != nil {
Fix metadata caching, 404 propagation, mirror progress, and registry stubs - ProxyCached now stores upstream Last-Modified in the cache and uses it (along with ETag) for conditional request handling, returning 304 when client validators match. Adds Content-Length to cached responses. - Handlers calling FetchOrCacheMetadata (pypi, composer, pub, nuget) now check for ErrUpstreamNotFound and return 404 instead of 502, matching the existing npm and cargo behavior. - Mirror jobs report live progress via a periodic callback while running, so API polls return real counts instead of zeroed progress. - Registry mirroring removed from CLI flags, API acceptance, README, and docs since every enumerator was a stub returning "not yet implemented". - Added tests for the conditional metadata path (ETag/If-None-Match, Last-Modified/If-Modified-Since, 304 responses, header omission).
2026-04-01 20:14:11 +01:00
if errors.Is(err, ErrUpstreamNotFound) {
http.Error(w, "not found", http.StatusNotFound)
return
}
Hello world
2026-01-20 21:52:44 +00:00
h.proxy.Logger.Error("upstream request failed", "error", err)
http.Error(w, "upstream request failed", http.StatusBadGateway)
return
}
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
// When cooldown is enabled, fetch JSON metadata to get version timestamps
var filteredVersions map[string]bool
if h.proxy.Cooldown != nil && h.proxy.Cooldown.Enabled() {
filteredVersions = h.fetchFilteredVersions(r, name)
}
rewritten := h.rewriteSimpleHTML(body, filteredVersions)
Hello world
2026-01-20 21:52:44 +00:00
w.Header().Set("Content-Type", "text/html")
w.WriteHeader(http.StatusOK)
_, _ = w.Write(rewritten)
}
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
// fetchFilteredVersions fetches JSON metadata and returns a set of version strings
// that should be filtered out due to cooldown.
func (h *PyPIHandler) fetchFilteredVersions(r *http.Request, name string) map[string]bool {
jsonURL := fmt.Sprintf("%s/pypi/%s/json", h.upstreamURL, name)
req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, jsonURL, nil)
if err != nil {
return nil
}
req.Header.Set("Accept", "application/json")
Route handler metadata requests through Proxy.HTTPClient instead of http.DefaultClient All handler metadata and proxy requests were using http.DefaultClient directly, bypassing any timeout or transport configuration. Added an HTTPClient field to the Proxy struct with a 30-second default timeout, and updated every handler to use it for upstream HTTP requests.
2026-03-13 07:44:11 +00:00
resp, err := h.proxy.HTTPClient.Do(req)
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
if err != nil {
return nil
}
defer func() { _ = resp.Body.Close() }()
if resp.StatusCode != http.StatusOK {
return nil
}
var metadata map[string]any
if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {
return nil
}
releases, ok := metadata["releases"].(map[string]any)
if !ok {
return nil
}
packagePURL := purl.MakePURLString("pypi", name, "")
filtered := make(map[string]bool)
for version, files := range releases {
filesArr, ok := files.([]any)
if !ok {
continue
}
publishedAt := h.newestUploadTime(filesArr)
if !publishedAt.IsZero() && !h.proxy.Cooldown.IsAllowed("pypi", packagePURL, publishedAt) {
filtered[version] = true
}
}
if len(filtered) == 0 {
return nil
}
return filtered
}
Hello world
2026-01-20 21:52:44 +00:00
// rewriteSimpleHTML rewrites package URLs in simple API HTML to point at this proxy.
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
// If filteredVersions is non-nil, links for those versions are removed entirely.
func (h *PyPIHandler) rewriteSimpleHTML(body []byte, filteredVersions map[string]bool) []byte {
// If cooldown filtering is active, remove entire <a> tags for filtered versions
if len(filteredVersions) > 0 {
// Match full anchor tags: <a ...href="...">filename</a>
linkRe := regexp.MustCompile(`<a[^>]+href="[^"]*"[^>]*>[^<]+</a>`)
body = linkRe.ReplaceAllFunc(body, func(match []byte) []byte {
// Extract filename from between tags
innerRe := regexp.MustCompile(`>([^<]+)</a>`)
innerMatch := innerRe.FindSubmatch(match)
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
if len(innerMatch) < minSubmatchParts {
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
return match
}
filename := string(innerMatch[1])
_, version := h.parseFilename(strings.TrimSpace(filename))
if version != "" && filteredVersions[version] {
return nil
}
return match
})
}
Hello world
2026-01-20 21:52:44 +00:00
// Match href attributes pointing to packages
// PyPI URLs look like: https://files.pythonhosted.org/packages/...
re := regexp.MustCompile(`href="(https://files\.pythonhosted\.org/packages/[^"]+)"`)
return re.ReplaceAllFunc(body, func(match []byte) []byte {
submatch := re.FindSubmatch(match)
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
if len(submatch) < minSubmatchParts {
Hello world
2026-01-20 21:52:44 +00:00
return match
}
origURL := string(submatch[1])
u, err := url.Parse(origURL)
if err != nil {
return match
}
newURL := fmt.Sprintf("%s/pypi/packages%s", h.proxyURL, u.Path)
return []byte(fmt.Sprintf(`href="%s"`, newURL))
})
}
// handleJSON serves the JSON API package metadata.
func (h *PyPIHandler) handleJSON(w http.ResponseWriter, r *http.Request) {
name := r.PathValue("name")
if name == "" {
http.Error(w, "invalid package name", http.StatusBadRequest)
return
}
h.proxy.Logger.Info("pypi json request", "package", name)
upstreamURL := fmt.Sprintf("%s/pypi/%s/json", h.upstreamURL, name)
Add mirror command and API for selective package mirroring Add a `proxy mirror` CLI command and `/api/mirror` API endpoints that pre-populate the cache from various input sources: individual PURLs, SBOM files (CycloneDX and SPDX), or full registry enumeration. The mirror reuses the existing handler.Proxy.GetOrFetchArtifact() pipeline so cached artifacts are identical to those fetched on demand. A bounded worker pool controls download parallelism. Metadata caching is opt-in via `cache_metadata: true` in config (or PROXY_CACHE_METADATA=true). The mirror command always enables it. When enabled, upstream metadata responses are stored for offline fallback with ETag-based conditional revalidation. New internal/mirror package with Source interface, PURLSource, SBOMSource, RegistrySource, and async JobStore. New metadata_cache database table for offline metadata serving.
2026-03-19 21:06:02 +00:00
h.proxyAndRewriteJSON(w, r, upstreamURL, name+"/json")
Hello world
2026-01-20 21:52:44 +00:00
}
// handleVersionJSON serves the JSON API version metadata.
func (h *PyPIHandler) handleVersionJSON(w http.ResponseWriter, r *http.Request) {
name := r.PathValue("name")
version := r.PathValue("version")
if name == "" || version == "" {
http.Error(w, "invalid request", http.StatusBadRequest)
return
}
h.proxy.Logger.Info("pypi version json request", "package", name, "version", version)
upstreamURL := fmt.Sprintf("%s/pypi/%s/%s/json", h.upstreamURL, name, version)
Add mirror command and API for selective package mirroring Add a `proxy mirror` CLI command and `/api/mirror` API endpoints that pre-populate the cache from various input sources: individual PURLs, SBOM files (CycloneDX and SPDX), or full registry enumeration. The mirror reuses the existing handler.Proxy.GetOrFetchArtifact() pipeline so cached artifacts are identical to those fetched on demand. A bounded worker pool controls download parallelism. Metadata caching is opt-in via `cache_metadata: true` in config (or PROXY_CACHE_METADATA=true). The mirror command always enables it. When enabled, upstream metadata responses are stored for offline fallback with ETag-based conditional revalidation. New internal/mirror package with Source interface, PURLSource, SBOMSource, RegistrySource, and async JobStore. New metadata_cache database table for offline metadata serving.
2026-03-19 21:06:02 +00:00
h.proxyAndRewriteJSON(w, r, upstreamURL, name+"/"+version)
Hello world
2026-01-20 21:52:44 +00:00
}
// proxyAndRewriteJSON fetches JSON metadata and rewrites download URLs.
Add mirror command and API for selective package mirroring Add a `proxy mirror` CLI command and `/api/mirror` API endpoints that pre-populate the cache from various input sources: individual PURLs, SBOM files (CycloneDX and SPDX), or full registry enumeration. The mirror reuses the existing handler.Proxy.GetOrFetchArtifact() pipeline so cached artifacts are identical to those fetched on demand. A bounded worker pool controls download parallelism. Metadata caching is opt-in via `cache_metadata: true` in config (or PROXY_CACHE_METADATA=true). The mirror command always enables it. When enabled, upstream metadata responses are stored for offline fallback with ETag-based conditional revalidation. New internal/mirror package with Source interface, PURLSource, SBOMSource, RegistrySource, and async JobStore. New metadata_cache database table for offline metadata serving.
2026-03-19 21:06:02 +00:00
func (h *PyPIHandler) proxyAndRewriteJSON(w http.ResponseWriter, r *http.Request, upstreamURL, cacheKey string) {
body, _, err := h.proxy.FetchOrCacheMetadata(r.Context(), "pypi", cacheKey, upstreamURL)
Hello world
2026-01-20 21:52:44 +00:00
if err != nil {
Fix metadata caching, 404 propagation, mirror progress, and registry stubs - ProxyCached now stores upstream Last-Modified in the cache and uses it (along with ETag) for conditional request handling, returning 304 when client validators match. Adds Content-Length to cached responses. - Handlers calling FetchOrCacheMetadata (pypi, composer, pub, nuget) now check for ErrUpstreamNotFound and return 404 instead of 502, matching the existing npm and cargo behavior. - Mirror jobs report live progress via a periodic callback while running, so API polls return real counts instead of zeroed progress. - Registry mirroring removed from CLI flags, API acceptance, README, and docs since every enumerator was a stub returning "not yet implemented". - Added tests for the conditional metadata path (ETag/If-None-Match, Last-Modified/If-Modified-Since, 304 responses, header omission).
2026-04-01 20:14:11 +01:00
if errors.Is(err, ErrUpstreamNotFound) {
http.Error(w, "not found", http.StatusNotFound)
return
}
Hello world
2026-01-20 21:52:44 +00:00
h.proxy.Logger.Error("upstream request failed", "error", err)
http.Error(w, "upstream request failed", http.StatusBadGateway)
return
}
rewritten, err := h.rewriteJSONMetadata(body)
if err != nil {
h.proxy.Logger.Warn("failed to rewrite metadata, proxying original", "error", err)
w.Header().Set("Content-Type", "application/json")
_, _ = w.Write(body)
return
}
w.Header().Set("Content-Type", "application/json")
_, _ = w.Write(rewritten)
}
// rewriteJSONMetadata rewrites download URLs in PyPI JSON metadata.
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
// If cooldown is enabled, versions published too recently are filtered out.
Hello world
2026-01-20 21:52:44 +00:00
func (h *PyPIHandler) rewriteJSONMetadata(body []byte) ([]byte, error) {
var metadata map[string]any
if err := json.Unmarshal(body, &metadata); err != nil {
return nil, err
}
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
packageName, _ := extractPyPIName(metadata)
packagePURL := ""
if packageName != "" {
packagePURL = purl.MakePURLString("pypi", packageName, "")
Hello world
2026-01-20 21:52:44 +00:00
}
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
h.filterAndRewriteReleases(metadata, packageName, packagePURL)
h.filterAndRewriteURLs(metadata, packagePURL)
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
return json.Marshal(metadata)
}
// filterAndRewriteReleases applies cooldown filtering and URL rewriting to the
// releases map in PyPI metadata.
func (h *PyPIHandler) filterAndRewriteReleases(metadata map[string]any, packageName, packagePURL string) {
releases, ok := metadata["releases"].(map[string]any)
if !ok {
return
}
for version, files := range releases {
if h.shouldFilterRelease(packagePURL, files) {
h.proxy.Logger.Info("cooldown: filtering pypi version",
"package", packageName, "version", version)
delete(releases, version)
continue
Hello world
2026-01-20 21:52:44 +00:00
}
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
h.rewriteFileEntries(files)
Hello world
2026-01-20 21:52:44 +00:00
}
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
}
Hello world
2026-01-20 21:52:44 +00:00
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
// shouldFilterRelease returns true if a release should be excluded due to cooldown.
func (h *PyPIHandler) shouldFilterRelease(packagePURL string, files any) bool {
if h.proxy.Cooldown == nil || !h.proxy.Cooldown.Enabled() || packagePURL == "" {
return false
}
filesArr, ok := files.([]any)
if !ok {
return false
}
publishedAt := h.newestUploadTime(filesArr)
return !publishedAt.IsZero() && !h.proxy.Cooldown.IsAllowed("pypi", packagePURL, publishedAt)
}
// rewriteFileEntries rewrites URLs in a list of file entries.
func (h *PyPIHandler) rewriteFileEntries(files any) {
filesArr, ok := files.([]any)
if !ok {
return
}
for _, f := range filesArr {
if fmap, ok := f.(map[string]any); ok {
h.rewriteURLEntry(fmap)
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
}
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
}
}
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
// filterAndRewriteURLs applies cooldown filtering and URL rewriting to the
// urls array (current version files) in PyPI metadata.
func (h *PyPIHandler) filterAndRewriteURLs(metadata map[string]any, packagePURL string) {
urls, ok := metadata["urls"].([]any)
if !ok {
return
}
if h.shouldFilterRelease(packagePURL, urls) {
metadata["urls"] = []any{}
}
if urls, ok := metadata["urls"].([]any); ok {
for _, u := range urls {
if umap, ok := u.(map[string]any); ok {
h.rewriteURLEntry(umap)
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
}
}
}
Hello world
2026-01-20 21:52:44 +00:00
}
Add version cooldown to filter recently published packages Hides package versions published too recently from metadata responses, giving the community time to spot malicious releases. Configurable per-ecosystem and per-package with duration overrides. Supported for npm, PyPI, pub.dev, and Composer.
2026-03-04 19:00:31 +00:00
// extractPyPIName extracts the package name from PyPI JSON metadata.
func extractPyPIName(metadata map[string]any) (string, bool) {
info, ok := metadata["info"].(map[string]any)
if !ok {
return "", false
}
name, ok := info["name"].(string)
return name, ok
}
// newestUploadTime returns the most recent upload_time_iso_8601 from a list of file entries.
func (h *PyPIHandler) newestUploadTime(files []any) time.Time {
var newest time.Time
for _, f := range files {
fmap, ok := f.(map[string]any)
if !ok {
continue
}
ts, ok := fmap["upload_time_iso_8601"].(string)
if !ok {
continue
}
t, err := time.Parse(time.RFC3339, ts)
if err != nil {
continue
}
if t.After(newest) {
newest = t
}
}
return newest
}
Hello world
2026-01-20 21:52:44 +00:00
// rewriteURLEntry rewrites a single URL entry in PyPI metadata.
func (h *PyPIHandler) rewriteURLEntry(entry map[string]any) {
urlStr, ok := entry["url"].(string)
if !ok {
return
}
u, err := url.Parse(urlStr)
if err != nil {
return
}
// Only rewrite pythonhosted.org URLs
if u.Host == "files.pythonhosted.org" {
newURL := fmt.Sprintf("%s/pypi/packages%s", h.proxyURL, u.Path)
entry["url"] = newURL
}
}
// handleDownload serves a package file, fetching and caching from upstream if needed.
func (h *PyPIHandler) handleDownload(w http.ResponseWriter, r *http.Request) {
path := r.PathValue("path")
if path == "" {
http.Error(w, "invalid path", http.StatusBadRequest)
return
}
// Path format: /packages/{hash_prefix}/{hash}/{filename}
// e.g., /packages/ab/cd/abc123.../requests-2.31.0.tar.gz
parts := strings.Split(path, "/")
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
if len(parts) < minPyPIPathParts {
Hello world
2026-01-20 21:52:44 +00:00
http.Error(w, "invalid path", http.StatusBadRequest)
return
}
filename := parts[len(parts)-1]
name, version := h.parseFilename(filename)
if name == "" {
// Can't determine name/version, use hash as identifier
name = fmt.Sprintf("_hash_%s", hashPath(path))
version = "0"
}
h.proxy.Logger.Info("pypi download request",
"name", name, "version", version, "filename", filename)
Fix paths for files.pythonhosted.org (#50) The URLs constructed for downloading package assets from PyPI had 'packages' twice, resulting in 404s.
2026-04-01 09:58:08 -04:00
// Construct upstream URL; the incoming path starts with
// '/packages' so there is no need to include it in the format
// string
upstreamURL := fmt.Sprintf("https://files.pythonhosted.org/%s", path)
Hello world
2026-01-20 21:52:44 +00:00
result, err := h.proxy.GetOrFetchArtifactFromURL(r.Context(), "pypi", name, version, filename, upstreamURL)
if err != nil {
h.proxy.Logger.Error("failed to get artifact", "error", err)
http.Error(w, "failed to fetch package", http.StatusBadGateway)
return
}
ServeArtifact(w, result)
}
// parseFilename extracts package name and version from a PyPI filename.
// Handles both wheels and sdists:
// - requests-2.31.0-py3-none-any.whl
// - requests-2.31.0.tar.gz
func (h *PyPIHandler) parseFilename(filename string) (name, version string) {
// Try wheel format first: {name}-{version}(-{build})?-{python}-{abi}-{platform}.whl
if strings.HasSuffix(filename, ".whl") {
base := strings.TrimSuffix(filename, ".whl")
parts := strings.Split(base, "-")
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
if len(parts) >= minWheelParts {
Hello world
2026-01-20 21:52:44 +00:00
// Find where version ends (version followed by python tag)
for i := 1; i < len(parts)-2; i++ {
// Check if this looks like a python tag (py2, py3, cp39, etc)
if isPythonTag(parts[i]) {
name = strings.Join(parts[:i-1], "-")
version = parts[i-1]
return
}
}
}
}
// Try sdist formats: {name}-{version}.tar.gz, {name}-{version}.zip
for _, ext := range []string{".tar.gz", ".tar.bz2", ".zip", ".tar"} {
if strings.HasSuffix(filename, ext) {
base := strings.TrimSuffix(filename, ext)
// Find last hyphen followed by version
for i := len(base) - 1; i >= 0; i-- {
if base[i] == '-' && i+1 < len(base) && isVersionStart(base[i+1]) {
return base[:i], base[i+1:]
}
}
}
}
return "", ""
}
func isPythonTag(s string) bool {
Fix all golangci-lint issues across the codebase (#32) * Fix all golangci-lint issues across the codebase Resolve 77 lint issues reported by golangci-lint with gocritic, gocognit, gocyclo, maintidx, dupl, mnd, unparam, ireturn, goconst, and errcheck enabled. Net reduction of ~175 lines through shared helpers and deduplication. * Suppress staticcheck SA1019 for intentional deprecated field usage The Storage.Path field is deprecated but still read for backwards compatibility with existing configs that haven't migrated to the URL field.
2026-03-18 10:59:29 +00:00
if len(s) < minPythonTagLen {
Hello world
2026-01-20 21:52:44 +00:00
return false
}
// Python tags start with py, cp, pp, ip, jy
prefixes := []string{"py", "cp", "pp", "ip", "jy"}
for _, p := range prefixes {
if strings.HasPrefix(s, p) {
return true
}
}
return false
}
func isVersionStart(c byte) bool {
return c >= '0' && c <= '9'
}
func hashPath(path string) string {
h := sha256.Sum256([]byte(path))
return hex.EncodeToString(h[:8])
}
// proxySimple proxies a simple API request.
func (h *PyPIHandler) proxySimple(w http.ResponseWriter, r *http.Request, path string) {
upstreamURL := h.upstreamURL + path
req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, upstreamURL, nil)
if err != nil {
http.Error(w, "failed to create request", http.StatusInternalServerError)
return
}
req.Header.Set("Accept", "text/html")
Route handler metadata requests through Proxy.HTTPClient instead of http.DefaultClient All handler metadata and proxy requests were using http.DefaultClient directly, bypassing any timeout or transport configuration. Added an HTTPClient field to the Proxy struct with a 30-second default timeout, and updated every handler to use it for upstream HTTP requests.
2026-03-13 07:44:11 +00:00
resp, err := h.proxy.HTTPClient.Do(req)
Hello world
2026-01-20 21:52:44 +00:00
if err != nil {
h.proxy.Logger.Error("upstream request failed", "error", err)
http.Error(w, "upstream request failed", http.StatusBadGateway)
return
}
defer func() { _ = resp.Body.Close() }()
for k, vv := range resp.Header {
for _, v := range vv {
w.Header().Add(k, v)
}
}
w.WriteHeader(resp.StatusCode)
_, _ = io.Copy(w, resp.Body)
}
Copy permalink