didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

refactor(egress): centralize block logging in _block helper
test / unit (pull_request) Successful in 30s
Details
test / integration (pull_request) Successful in 49s
Details
lint / lint (push) Successful in 1m26s
Details
test / unit (push) Successful in 31s
Details
test / integration (push) Successful in 49s
Details
Update Quality Badges / update-badges (push) Successful in 1m13s
Details

Browse Source
This commit was merged in pull request #203.
This commit is contained in:
didericis (claude)
2026-06-06 17:00:42 +00:00
parent c89a0d334a
commit e82bbb587f
1 changed files with 16 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bot_bottle/egress_addon.py
+16 -24
View File
@@ -82,6 +82,14 @@ class EgressAddon:
{"Content-Type": "text/plain; charset=utf-8"}, {"Content-Type": "text/plain; charset=utf-8"},
) )
def _block(self, flow: http.HTTPFlow, reason: str) -> None:
sys.stderr.write(f"{reason}\n")
flow.response = http.Response.make(
403,
reason.encode("utf-8"),
{"Content-Type": "text/plain; charset=utf-8"},
)
def request(self, flow: http.HTTPFlow) -> None: def request(self, flow: http.HTTPFlow) -> None:
request_path, _, query = flow.request.path.partition("?") request_path, _, query = flow.request.path.partition("?")
@@ -100,25 +108,18 @@ class EgressAddon:
scan_text = auth_header + "\n" + body scan_text = auth_header + "\n" + body
dlp_result = scan_outbound(route, scan_text, os.environ) dlp_result = scan_outbound(route, scan_text, os.environ)
if dlp_result is not None and dlp_result.severity == "block": if dlp_result is not None and dlp_result.severity == "block":
flow.response = http.Response.make( self._block(flow, f"egress DLP: {dlp_result.reason}")
403,
f"egress DLP: {dlp_result.reason}".encode("utf-8"),
{"Content-Type": "text/plain; charset=utf-8"},
)
return return
# Strip inbound Authorization — agent cannot smuggle tokens. # Strip inbound Authorization — agent cannot smuggle tokens.
flow.request.headers.pop("authorization", None) flow.request.headers.pop("authorization", None)
if is_git_push_request(request_path, query): if is_git_push_request(request_path, query):
flow.response = http.Response.make( self._block(
403, flow,
( "egress: git push over HTTPS is not supported; "
b"egress: git push over HTTPS is not supported; " "use the bottle.git SSH path (gitleaks-scanned by "
b"use the bottle.git SSH path (gitleaks-scanned by " "git-gate's pre-receive hook).",
b"git-gate's pre-receive hook)."
),
{"Content-Type": "text/plain; charset=utf-8"},
) )
return return
@@ -135,12 +136,7 @@ class EgressAddon:
) )
if decision.action == "block": if decision.action == "block":
sys.stderr.write(f"{decision.reason}\n") self._block(flow, decision.reason)
flow.response = http.Response.make(
403,
decision.reason.encode("utf-8"),
{"Content-Type": "text/plain; charset=utf-8"},
)
return return
if decision.inject_authorization is not None: if decision.inject_authorization is not None:
@@ -160,11 +156,7 @@ class EgressAddon:
if result is None: if result is None:
return return
if result.severity == "block": if result.severity == "block":
flow.response = http.Response.make( self._block(flow, f"egress DLP: {result.reason}")
403,
f"egress DLP: {result.reason}".encode("utf-8"),
{"Content-Type": "text/plain; charset=utf-8"},
)
elif result.severity == "warn": elif result.severity == "warn":
sys.stderr.write(f"egress DLP warn: {result.reason}\n") sys.stderr.write(f"egress DLP warn: {result.reason}\n")