fix: add security checks and tests for code review

Security: - Add authorization checks to list_packages, update_package, delete_package endpoints - Add MAX_TOTAL_ARTIFACTS limit (1000) to prevent memory exhaustion during dependency resolution - Add TooManyArtifactsError exception for proper error handling UI: - Display reverse dependency errors in PackagePage - Add warning display for failed dependency fetches in DependencyGraph Tests: - Add unit tests for metadata extraction (deb, wheel, tarball, jar) - Add unit tests for rate limit configuration - Add unit tests for PyPI registry client
2026-02-04 16:19:16 -06:00
parent 1389a03c69
commit 262aff6e97
8 changed files with 649 additions and 13 deletions
--- a/backend/app/dependencies.py
+++ b/backend/app/dependencies.py
@@ -109,9 +109,17 @@ class DependencyDepthExceededError(DependencyError):
        super().__init__(f"Dependency resolution exceeded maximum depth of {max_depth}")


+class TooManyArtifactsError(DependencyError):
+    """Raised when dependency resolution resolves too many artifacts."""
+    def __init__(self, max_artifacts: int):
+        self.max_artifacts = max_artifacts
+        super().__init__(f"Dependency resolution exceeded maximum of {max_artifacts} artifacts")
+
+
 # Safety limits to prevent DoS attacks
 MAX_DEPENDENCY_DEPTH = 100  # Maximum levels of nested dependencies
 MAX_DEPENDENCIES_PER_ARTIFACT = 200  # Maximum direct dependencies per artifact
+MAX_TOTAL_ARTIFACTS = 1000  # Maximum total artifacts in resolution to prevent memory issues


 def parse_ensure_file(content: bytes) -> EnsureFileContent:
@@ -849,6 +857,10 @@ def resolve_dependencies(
        visited.add(artifact_id)
        resolution_path_sync.pop()

+        # Check total artifacts limit
+        if len(resolution_order) >= MAX_TOTAL_ARTIFACTS:
+            raise TooManyArtifactsError(MAX_TOTAL_ARTIFACTS)
+
        # Add to resolution order (dependencies before dependents)
        resolution_order.append(artifact_id)

@@ -1257,6 +1269,10 @@ async def resolve_dependencies_with_fetch(
        visited.add(artifact_id)
        resolution_path.pop()

+        # Check total artifacts limit
+        if len(resolution_order) >= MAX_TOTAL_ARTIFACTS:
+            raise TooManyArtifactsError(MAX_TOTAL_ARTIFACTS)
+
        resolution_order.append(artifact_id)

        resolved_artifacts[artifact_id] = ResolvedArtifact(