[PATCH] cve-update-db-native: add timeout to urlopen() calls

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

* [PATCH] cve-update-db-native: add timeout to urlopen() calls
@ 2022-10-18 16:37 Frank de Brabander
  0 siblings, 0 replies; only message in thread
From: Frank de Brabander @ 2022-10-18 16:37 UTC (permalink / raw)
  To: openembedded-core; +Cc: Frank de Brabander

The urlopen() call can block indefinitely under some circumstances.
This can result in the bitbake process to run endlessly because of
the 'do_fetch' task of cve-update-bb-native to remain active.

This adds a default timeout of 60 seconds to avoid this hang, while
being large enough to minimize the risk of unwanted timeouts.

Signed-off-by: Frank de Brabander <debrabander@gmail.com>
---
 meta/recipes-core/meta/cve-update-db-native.bb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 944243fce9..9b9dbbd75f 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -18,6 +18,9 @@ NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
 # Use a negative value to skip the update
 CVE_DB_UPDATE_INTERVAL ?= "86400"
 
+# Timeout for blocking socket operations, such as the connection attempt.
+CVE_SOCKET_TIMEOUT ?= "60"
+
 python () {
     if not bb.data.inherits_class("cve-check", d):
         raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
@@ -39,6 +42,8 @@ python do_fetch() {
     db_file = d.getVar("CVE_CHECK_DB_FILE")
     db_dir = os.path.dirname(db_file)
 
+    cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
+
     if os.path.exists("{0}-journal".format(db_file)):
         # If a journal is present the last update might have been interrupted. In that case,
         # just wipe any leftovers and force the DB to be recreated.
@@ -79,7 +84,7 @@ python do_fetch() {
 
             # Retrieve meta last modified date
             try:
-                response = urllib.request.urlopen(meta_url)
+                response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout)
             except urllib.error.URLError as e:
                 cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
                 bb.warn("Failed to fetch CVE data (%s)" % e.reason)
@@ -107,7 +112,7 @@ python do_fetch() {
 
                 # Update db with current year json file
                 try:
-                    response = urllib.request.urlopen(json_url)
+                    response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
                     if response:
                         update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
                     conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
-- 
2.30.2



^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2022-10-18 16:38 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-18 16:37 [PATCH] cve-update-db-native: add timeout to urlopen() calls Frank de Brabander

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox