Exemplo n.º 1
0
    def test_run_with_mocks(self):
        upload = self.get_upload('webextension.xpi')
        assert len(YaraResult.objects.all()) == 0

        # This compiled rule will match for all files in the xpi.
        rules = yara.compile(source='rule always_true { condition: true }')
        with mock.patch('yara.compile') as yara_compile_mock:
            yara_compile_mock.return_value = rules
            run_yara(upload.pk)

        assert yara_compile_mock.called
        results = YaraResult.objects.all()
        assert len(results) == 1
        result = results[0]
        assert result.upload == upload
        assert len(result.matches) == 2
        assert result.matches[0] == {
            'rule': 'always_true',
            'tags': [],
            'meta': {
                'filename': 'index.js'
            },
        }
        assert result.matches[1] == {
            'rule': 'always_true',
            'tags': [],
            'meta': {
                'filename': 'manifest.json'
            },
        }
Exemplo n.º 2
0
    def test_calls_statsd_timer(self, timer_mock):
        upload = self.get_upload('webextension.xpi')

        run_yara(upload.pk)

        assert timer_mock.called
        timer_mock.assert_called_with('devhub.yara')
Exemplo n.º 3
0
    def test_run_does_not_raise(self, incr_mock):
        upload = self.get_upload('webextension.xpi')

        # This call should not raise even though there will be an error because
        # YARA_RULES_FILEPATH is configured with a wrong path.
        run_yara(upload.pk)

        assert incr_mock.called
        incr_mock.assert_called_with('devhub.yara.failure')
Exemplo n.º 4
0
    def test_run_no_matches_with_mocks(self):
        upload = self.get_upload('webextension.xpi')
        assert len(YaraResult.objects.all()) == 0

        # This compiled rule will never match.
        rules = yara.compile(source='rule always_false { condition: false }')
        with mock.patch('yara.compile') as yara_compile_mock:
            yara_compile_mock.return_value = rules
            run_yara(upload.pk)

        result = YaraResult.objects.all()[0]
        assert result.matches == []
Exemplo n.º 5
0
    def test_run_ignores_directories(self):
        upload = self.get_upload('webextension_signed_already.xpi')
        # This compiled rule will match for all files in the xpi.
        rules = yara.compile(source='rule always_true { condition: true }')

        with mock.patch('yara.compile') as yara_compile_mock:
            yara_compile_mock.return_value = rules
            run_yara(upload.pk)

        result = YaraResult.objects.all()[0]
        assert result.upload == upload
        # The `webextension_signed_already.xpi` fixture file has 1 directory
        # and 3 files.
        assert len(result.matches) == 3
Exemplo n.º 6
0
    def test_run_with_mocks(self, incr_mock):
        assert len(YaraResult.objects.all()) == 0

        # This compiled rule will match for all files in the xpi.
        rules = yara.compile(source='rule always_true { condition: true }')
        with mock.patch('yara.compile') as yara_compile_mock:
            yara_compile_mock.return_value = rules
            received_results = run_yara(self.results, self.upload.pk)

        assert yara_compile_mock.called
        yara_results = YaraResult.objects.all()
        assert len(yara_results) == 1
        yara_result = yara_results[0]
        assert yara_result.upload == self.upload
        assert len(yara_result.matches) == 2
        assert yara_result.matches[0] == {
            'rule': 'always_true',
            'tags': [],
            'meta': {
                'filename': 'index.js'
            },
        }
        assert yara_result.matches[1] == {
            'rule': 'always_true',
            'tags': [],
            'meta': {
                'filename': 'manifest.json'
            },
        }
        assert incr_mock.called
        incr_mock.assert_called_with('devhub.yara.success')
        # The task should always return the results.
        assert received_results == self.results
Exemplo n.º 7
0
    def test_does_not_run_when_results_contain_errors(self, yara_compile_mock):
        self.results.update({'errors': 1})
        received_results = run_yara(self.results, self.upload.pk)

        assert not yara_compile_mock.called
        # The task should always return the results.
        assert received_results == self.results
Exemplo n.º 8
0
    def test_run_does_not_raise(self, incr_mock):
        # This call should not raise even though there will be an error because
        # YARA_RULES_FILEPATH is configured with a wrong path.
        received_results = run_yara(self.results, self.upload.pk)

        assert incr_mock.called
        incr_mock.assert_called_with('devhub.yara.failure')
        # The task should always return the results.
        assert received_results == self.results
Exemplo n.º 9
0
    def test_run_no_matches_with_mocks(self):
        assert len(YaraResult.objects.all()) == 0

        # This compiled rule will never match.
        rules = yara.compile(source='rule always_false { condition: false }')
        with mock.patch('yara.compile') as yara_compile_mock:
            yara_compile_mock.return_value = rules
            received_results = run_yara(self.results, self.upload.pk)

        yara_result = YaraResult.objects.all()[0]
        assert yara_result.matches == []
        # The task should always return the results.
        assert received_results == self.results
Exemplo n.º 10
0
    def test_skip_non_webextensions_with_mocks(self, yara_compile_mock):
        upload = self.get_upload('search.xml')
        results = {
            **amo.VALIDATOR_SKELETON_RESULTS, 'metadata': {
                'is_webextension': False,
            }
        }

        received_results = run_yara(results, upload.pk)

        assert not yara_compile_mock.called
        # The task should always return the results.
        assert received_results == results
Exemplo n.º 11
0
    def test_run_ignores_directories(self):
        upload = self.get_upload('webextension_signed_already.xpi')
        results = {
            **amo.VALIDATOR_SKELETON_RESULTS, 'metadata': {
                'is_webextension': True,
            }
        }
        # This compiled rule will match for all files in the xpi.
        rules = yara.compile(source='rule always_true { condition: true }')

        with mock.patch('yara.compile') as yara_compile_mock:
            yara_compile_mock.return_value = rules
            received_results = run_yara(results, upload.pk)

        yara_result = YaraResult.objects.all()[0]
        assert yara_result.upload == upload
        # The `webextension_signed_already.xpi` fixture file has 1 directory
        # and 3 files.
        assert len(yara_result.matches) == 3
        # The task should always return the results.
        assert received_results == results
Exemplo n.º 12
0
    def test_run_does_not_raise(self):
        upload = self.get_upload('webextension.xpi')

        # This call should not raise even though there will be an error because
        # YARA_RULES_FILEPATH is configured with a wrong path.
        run_yara(upload.pk)
Exemplo n.º 13
0
    def test_skip_non_xpi_files_with_mocks(self, yara_compile_mock):
        upload = self.get_upload('search.xml')

        run_yara(upload.pk)

        assert not yara_compile_mock.called
Exemplo n.º 14
0
    def test_calls_statsd_timer(self, timer_mock):
        run_yara(self.results, self.upload.pk)

        assert timer_mock.called
        timer_mock.assert_called_with('devhub.yara')
Exemplo n.º 15
0
def handle_upload_validation_result(
        results, upload_pk, channel, is_mozilla_signed):
    """Annotate a set of validation results and save them to the given
    FileUpload instance."""
    upload = FileUpload.objects.get(pk=upload_pk)

    if waffle.switch_is_active('enable-yara') and results['errors'] == 0:
        # Run Yara. This cannot be asynchronous because we have no way to know
        # whether the task will complete before we attach a `Version` to it
        # later in the submission process... Because we cannot use `chord`
        # reliably right now (requires Celery 4.2+), this task is actually not
        # run as a task, it's a simple function call.
        #
        # TODO: use `run_yara` as a task in the submission chord once it is
        # possible. See: https://github.com/mozilla/addons-server/issues/12216
        run_yara(upload.pk)

    if waffle.switch_is_active('enable-customs') and results['errors'] == 0:
        # Run customs. This cannot be asynchronous because we have no way to
        # know whether the task will complete before we attach a `Version` to
        # it later in the submission process... Because we cannot use `chord`
        # reliably right now (requires Celery 4.2+), this task is actually not
        # run as a task, it's a simple function call.
        #
        # TODO: use `run_customs` as a task in the submission chord once it is
        # possible. See: https://github.com/mozilla/addons-server/issues/12217
        run_customs(upload.pk)

    if waffle.switch_is_active('enable-wat') and results['errors'] == 0:
        # Run wat. This cannot be asynchronous because we have no way to know
        # whether the task will complete before we attach a `Version` to it
        # later in the submission process... Because we cannot use `chord`
        # reliably right now (requires Celery 4.2+), this task is actually not
        # run as a task, it's a simple function call.
        #
        # TODO: use `run_wat` as a task in the submission chord once it is
        # possible. See: https://github.com/mozilla/addons-server/issues/12224
        run_wat(upload.pk)

    # Check for API keys in submissions.
    # Make sure it is extension-like, e.g. no search plugin
    try:
        results = check_for_api_keys_in_file(results=results, upload=upload)
    except (ValidationError, BadZipfile, IOError):
        pass

    # Annotate results with potential webext warnings on new versions.
    if upload.addon_id and upload.version:
        annotations.annotate_webext_incompatibilities(
            results=results, file_=None, addon=upload.addon,
            version_string=upload.version, channel=channel)

    upload.validation = json.dumps(results)
    upload.save()  # We want to hit the custom save().

    # Track the time it took from first upload through validation
    # until the results were processed and saved.
    upload_start = utc_millesecs_from_epoch(upload.created)
    now = datetime.datetime.now()
    now_ts = utc_millesecs_from_epoch(now)
    delta = now_ts - upload_start
    statsd.timing('devhub.validation_results_processed', delta)

    if not storage.exists(upload.path):
        # TODO: actually fix this so we can get stats. It seems that
        # the file maybe gets moved but it needs more investigation.
        log.warning('Scaled upload stats were not tracked. File is '
                    'missing: {}'.format(upload.path))
        return

    size = Decimal(storage.size(upload.path))
    megabyte = Decimal(1024 * 1024)

    # Stash separate metrics for small / large files.
    quantifier = 'over' if size > megabyte else 'under'
    statsd.timing(
        'devhub.validation_results_processed_{}_1mb'.format(quantifier), delta)

    # Scale the upload / processing time by package size (in MB)
    # so we can normalize large XPIs which naturally take longer to validate.
    scaled_delta = None
    size_in_mb = size / megabyte
    if size > 0:
        # If the package is smaller than 1MB, don't scale it. This should
        # help account for validator setup time.
        unit = size_in_mb if size > megabyte else Decimal(1)
        scaled_delta = Decimal(delta) / unit
        statsd.timing('devhub.validation_results_processed_per_mb',
                      scaled_delta)

    log.info('Time to process and save upload validation; '
             'upload.pk={upload}; processing_time={delta}; '
             'scaled_per_mb={scaled}; upload_size_in_mb={size_in_mb}; '
             'created={created}; now={now}'
             .format(delta=delta, upload=upload.pk,
                     created=upload.created, now=now,
                     scaled=scaled_delta, size_in_mb=size_in_mb))