[question] Corrupted package after upload (403) about conan HOT 7 CLOSED

Hi @Nekto89

Thanks for your question.

This is indeed unexpected and weird, I haven't seen before anything like this.

Can conan automatically do clean-up if upload failed?

No, this is not possible. A 403 Forbidden is quite explicit and stops, even trying to remove in the server automatically from the client doesn't make much sense.

What might be the reason for this? Antivirus or firewall on Artifactory server? Maybe someone encountered similar issue in the past? Token definitely has access because I can remove package.

To be honest, I have no idea. It would be very useful to have the server side traces, please try to collect them if you are running the server, or ask IT or your devops teams to try to collect these logs, maybe they contain some further hints of what could be happening. Also, if there is some other component like scanners such as Xray connected to Artifactory that could be interacting with the upload.

From the client side, I'd try to do some extra checks, like uploading exactly that package, but empty (to see if there is something in the specific package name), or the opposite, try to have exactly the same payload of the package, but under a different name. I'd also inspect the conanmanifest.txt file in the recipe, in case it could contain something unexpected.

from conan.

Also, the exact Conan version and Artifactory versions would be needed.

Other things to try:

• Trying the upload from other different machine
• Trying the upload of exactly the same package to a local running ArtifactoryCE

from conan.

Also, the exact Conan version and Artifactory versions would be needed.

Other things to try:

* Trying the upload from other different machine

* Trying the upload of exactly the same package to a local running ArtifactoryCE

0. conan 2.3.1, artifactory 7.63.12, jf cli 2.16.4
1. changing channel name doesn't help
2. tried uploading "conanfile.py" to generic repository through jfrog cli (jf.exe) same 403 error.
3. tried uploading "conanfile.py" to generic repository through browser - it magically works and can be downloaded afterwards.

I'm trying to get more info\logs from the team that supports Artifactory instance, but they are currently busy with other tasks. I will write here if I'll find the reason for this strange behavior.

from conan.

Mystery solved. For some reason WAF service thinks that this file contains SQL injection.
https://raw.githubusercontent.com/conan-io/conan-center-index/master/recipes/onetbb/all/conanfile.py

Issue can be closed if there is nothing that can be done for doing uploads as transactions with possibility of rollback.

from conan.

Good to hear, happy to see it is not a bug on our end.

Issue can be closed if there is nothing that can be done for doing uploads as transactions with possibility of rollback.

The capability of more atomic uploads is something that we are already aware and we would like to try to approach some time in the future, but as this requires a lot of functionality in the server, it is a bit out of the scope of this ticket, so closing the ticket as the main issue was identified.

Thanks for the feedback.

from conan.

@memsharded one more related question. Is it possible for conan to output more information and not just callstack? For example, like curl does with -vv? In this case body of response contained important data in HTML format but conan wasn't showing it.

from conan.

At this moment the capturing or Forbidden and Authentication errors are assuming the human-readable response would be in the response.reason for text/html responses and data["message"] for application/json, and that should be included in the error printed.

If this is not enough, which seems the case, at the moment there are no traces for the http communication api calls details. One reason for not being able to easily print http traces is that headers will often include tokens, passwords, etc, and that is a security risk to expose them in logs.

from conan.