Add dependency auto download downloader logic#1094
Merged
Conversation
jamOne-
requested changes
Mar 3, 2026
jamOne-
left a comment
Collaborator
There was a problem hiding this comment.
Should we fix anything from this list? Maybe 4. Security one?
Gemini review:
Review Report
-
Verdict: Request Changes
-
Action Items:
- [Network & Error Handling] Missing Timeout and OSError Handling:
- Issue:
urllib.request.urlopen(url)lacks atimeoutparameter. If a server accepts a connection but stops responding, the tool will hang indefinitely. Also, network drops during stream reading (shutil.copyfileobj) can raiseOSError(e.g.,ConnectionResetError) whichURLErrordoes not catch. - Fix: Provide a reasonable timeout (e.g.,
urlopen(url, timeout=30)) and explicitly catchOSErroralongsideURLErrorin_download_file().
- Issue:
- [Concurrency] Prevent
Text File BusyErrors:- Issue:
shutil.movein_install_binary()attempts to overwrite the existing binary. If the current binary is currently executing (by the user or another process), Linux will throwOSError: [Errno 26] Text file busy. - Fix: Remove the existing file before overwriting. Call
target_path.unlink(missing_ok=True)beforeshutil.move(src_path, target_path).
- Issue:
- [Logic] Inexact Archive Matching:
- Issue:
_process_downloaded_file()usesrglob()to find the extracted binary. This can return directories sharing the same name or multiple files in unpredictable orders (e.g., if there's adocs/craneandbin/cranewithin the archive). - Fix: Filter
matchesto ensure they are strictly files ([m for m in matches if m.is_file()]) and add a sanity check (if len(matches) > 1) to fail explicitly or warn, rather than silently picking a random match.
- Issue:
- [Security] Archive Extraction Path Traversal:
- Issue:
shutil.unpack_archiveextracts files exactly as they are in the archive, which leaves the tool theoretically vulnerable to path traversal (Zip Slip / Tar Slip) if the checksum were ever compromised. It will also likely be flagged in static analysis tools like Bandit. - Fix: If Python >= 3.12 is used, pass
shutil.unpack_archive(..., filter='data')to natively enforce safe path extraction.
- Issue:
- [Robustness] Case-Insensitive Checksum Match:
- Issue:
hashlib.sha256().hexdigest()always returns lowercase characters. If an uppercase checksum is ever pasted intobinary_dependencies.pyin the future, validation will incorrectly fail. - Fix: In
_verify_checksum(), safely compare usingsha256.hexdigest() == expected_checksum.lower().
- Issue:
- [Network & Error Handling] Missing Timeout and OSError Handling:
-
Overall Impression: The logic is well-structured and properly abstracts dependency fetching into a clean set of modular functions. With a few defensive programming fixes to harden network volatility, file extraction paths, and prevent active execution races, this implementation will be highly robust.
jamOne-
approved these changes
Mar 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add
downloader.pyscript that will download a dependency.Issue
b/489307581
Testing
Unit testing.