fix(bitdefender): fourth-pass - urllib reset safety, Retry-After clamp, sweep/install-links id validation

From a third review pass (converging - all MEDIUM/LOW):
- urllib fallback: a post-send reset (RemoteDisconnected/ConnectionReset, which
  urllib wraps in URLError) was misclassified as always-safe 'connect' and could
  retry a non-idempotent write after a server commit. Now only ConnectionRefused/
  DNS (socket.gaierror) -> 'connect'; everything else -> 'timeout' (write-gated).
- _retry_delay clamps a negative numeric Retry-After to 0 (was -> time.sleep(-1) ValueError).
- cmd_sweep + cmd_install_links now validate --company; cmd_company_create validates
  --parent (finished _require_oid consistency - these mislogged as errorlog noise).
- cmd_push_test parses --extra-json before gating (validate->gate order, matches siblings).
- selftest: +sweep/install-links bad-company assertions. 81/81. Units: clamp + reset classification.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-25 13:59:19 -07:00
parent 5af2fc09ec
commit 3d6cb467bf
3 changed files with 24 additions and 7 deletions

View File

@@ -284,6 +284,8 @@ def cmd_company_create(client, args):
extra, rc = _load_json_arg(args.extra_json, "extra-json")
if rc:
return rc
if args.parent and not _require_oid(args.parent, "parent company"):
return 2
label = {0: "Partner", 1: "Customer"}.get(args.type, str(args.type))
if not _gated(f"create {label} company '{args.name}'", args.confirm):
return 3
@@ -337,6 +339,8 @@ def cmd_endpoint(client, args):
def cmd_sweep(client, args):
if args.company and not _require_oid(args.company, "company"):
return 2
if args.company:
summaries = client.security_sweep(args.company)
else:
@@ -535,11 +539,11 @@ def cmd_push_set(client, args):
def cmd_push_test(client, args):
if not _gated(f"send test push event '{args.event_type}'", args.confirm):
return 3
extra, rc = _load_json_arg(args.extra_json, "extra-json")
if rc:
return rc
if not _gated(f"send test push event '{args.event_type}'", args.confirm):
return 3
result = client.send_test_push_event(args.event_type, extra=extra or None)
_emit({"testEvent": args.event_type, "result": result}, args.json, _print_kv)
return 0
@@ -702,8 +706,11 @@ def cmd_create_package(client, args):
def cmd_install_links(client, args):
if args.company and not _require_oid(args.company, "company"):
return 2
_emit(client.get_installation_links(args.package, args.company),
args.json, _print_kv)
return 0
def cmd_scan(client, args):

View File

@@ -23,6 +23,7 @@ import base64
import json
import os
import random
import socket
import subprocess
import sys
import tempfile
@@ -86,7 +87,9 @@ def _retry_delay(headers, attempt: int) -> float:
# An explicit server-mandated Retry-After is honored up to a HIGHER cap
# than the exponential backoff (don't retry early into another 429).
try:
return min(float(ra), RETRY_AFTER_MAX_SECONDS)
# clamp to [0, ceiling]: a malformed negative Retry-After must not
# reach time.sleep() (which raises ValueError on a negative value).
return min(max(float(ra), 0.0), RETRY_AFTER_MAX_SECONDS)
except (TypeError, ValueError):
try:
dt = parsedate_to_datetime(ra)
@@ -373,11 +376,16 @@ class GravityZoneClient:
except TimeoutError as exc:
raise _RetryableHTTP("timeout", detail=str(exc)) from exc
except urllib.error.URLError as exc:
# A bare URLError (not HTTPError) is a connection-level failure. If it
# wraps a read timeout it is ambiguous ('timeout'); otherwise it is a
# pre-send connect failure ('connect', always safe to retry).
# Classify conservatively: only a KNOWN pre-send failure (connection
# refused / DNS failure) is the always-safe 'connect'. Anything else -
# a connect/read timeout, or an ambiguous post-send reset like
# RemoteDisconnected/ConnectionResetError that urllib also wraps in
# URLError - is 'timeout' so a non-idempotent write is NOT retried.
reason = getattr(exc, "reason", None)
code = "timeout" if isinstance(reason, TimeoutError) else "connect"
if isinstance(reason, (ConnectionRefusedError, socket.gaierror)):
code = "connect"
else:
code = "timeout"
raise _RetryableHTTP(code, detail=str(exc)) from exc
try:
return json.loads(raw.decode("utf-8"))

View File

@@ -95,6 +95,8 @@ check("policy no shallow warning", ["policy", "5c42940b6e16d61a0c8b4568"], want_
# behavior, not a skill bug. ---
check("endpoint bad id -> rc2 (client-side)", ["endpoint", "bogus"], want_rc=2, err_has="not a valid")
check("policy bad id -> rc2 (client-side)", ["policy", "bogus"], want_rc=2, err_has="not a valid")
check("sweep bad company -> rc2 (client-side)", ["sweep", "--company", "bogus"], want_rc=2, err_has="not a valid")
check("install-links bad company -> rc2", ["install-links", "--package", "P", "--company", "bogus"], want_rc=2, err_has="not a valid")
# --- argparse: missing required arg -> rc2 ---
check("quarantine missing --company -> rc2", ["quarantine"], want_rc=2)