tree 115709507792cc0158af66d560e8f7067585765b
parent 56ff29434ff7a67767efe86e47b6499206b18098
author Mitchell Kember <mkember@google.com> 1599779442 -0700
committer Mitchell Kember <mkember@google.com> 1599846056 -0700

Only expose program failures for exit status 1

This CL changes the program.run function to return `(response, error)`
instead of just `response`. Previously, all failures would be rolled
into an `Ok: false` response and shown to the user. Now, it only does so
for exit status 1, and otherwise returns an error which bubbles up to a
500 Internal Server Error, with the `error` object logged on the server.

Rationale: we want to show legitimate failures to the user (e.g. fidlc
will fail if its input has a syntax error), but we do *not* want to
expose information the OS prints when programs crash. We use the exit
status as a proxy for this. For example, a segfault should cause the
program to exit with status 139, not 1.

This also makes program.run return stdout in the success case and stderr
in the failure (exit status 1) case, rather than always combining them
as before. This is a further measure to avoid leaking details that
should not be shown to the user. It also allows the logged message for
exit statuses besides 0 and 1 to show stdout/stderr separately.

Change-Id: I19173e66d37ead6989a7b45ab699976547f97267