Skip to content

Prevent hanging in svn+ssh #1230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
spoorcc wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Prevent hanging in svn+ssh #1230

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4578025
Cleanup commands
spoorcc Jun 2, 2026
b50c16c
Unshallow docs
spoorcc Jun 2, 2026
a6a7617
Prevent hanging in svn+ssh
spoorcc May 25, 2026
5fd2026
fixup
spoorcc Jun 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 21 additions & 21 deletions .claude/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,33 +2,33 @@
"permissions": {
"allow": [
"Bash(codespell)",
"Bash(python -m behave *)",
"Bash(python -m pytest tests/*)",
"Bash(pre-commit run:*)",
"Bash(git stash:*)",
"Bash(pre-commit run *)",
"Bash(git stash *)",
"Bash(xenon *)",
"Bash(radon *)",
"Bash(isort --diff dfetch)",
"Bash(black --check dfetch)",
"Bash(pylint dfetch:*)",
"Bash(ruff check:*)",
"Bash(mypy dfetch:*)",
"Bash(pip show:*)",
"Bash(doc8 doc:*)",
"Bash(pydocstyle dfetch:*)",
"Bash(bandit -r dfetch)",
"Bash(isort --diff dfetch*)",
"Bash(black --check dfetch*)",
"Bash(pylint dfetch*)",
"Bash(ruff check dfetch*)",
"Bash(mypy dfetch*)",
"Bash(python -m mypy dfetch*)",
"Bash(python -m pytest tests/*)",
"Bash(pip show *)",
"Bash(doc8 doc*)",
"Bash(pydocstyle dfetch*)",
"Bash(bandit *)",
"Bash(pyroma --directory --min=10 .)",
"Bash(xargs pyupgrade:*)",
"Bash(xargs pyupgrade *)",
"Bash(lint-imports)",
"Bash(pip install:*)",
"Bash(pytest tests/test_sbom_reporter.py -q)",
"Bash(pip install *)",
"Bash(pytest *)",
Comment on lines +23 to +24

@coderabbitai coderabbitai Bot Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restrict wildcard Bash permissions to least privilege.

These *-based entries materially widen what the assistant can execute and weaken the allowlist boundary. For high-risk commands (pip install, broad pytest, and unconstrained dfetch args), prefer explicit command/arg shapes.

🔧 Suggested tightening example 
-      "Bash(pip install *)",
-      "Bash(pytest *)",
+      "Bash(pip install -e .[docs])",
+      "Bash(pytest tests/*)",

Also applies to: 28-31

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/settings.json around lines 23 - 24, The allowlist entries "Bash(pip
install *)" and "Bash(pytest *)" (and the similar wildcard entries around lines
28–31) are too permissive; replace these star-based patterns with
least-privilege shapes by enumerating allowed package/flag patterns or using
constrained argument regexes instead of "*" — e.g., restrict "pip install" to
specific package names/versions, constrain "pytest" to specific test
paths/flags, and tighten any "dfetch" or other Bash(...) entries to explicit,
validated argument forms so arbitrary installs/tests/commands cannot be
executed.

"Bash(make -C doc latexpdf)",
"Bash(make -C doc clean)",
"Bash(dfetch add:*)",
"Bash(dfetch update:*)",
"Bash(python -m security.tm_supply_chain:*)",
"Bash(python -m security.tm_usage:*)",
"Bash(make -C doc html)"
"Bash(make -C doc html)",
"Bash(dfetch add *)",
"Bash(dfetch update *)",
"Bash(python -m security.tm_supply_chain *)",
"Bash(python -m security.tm_usage *)"
Comment thread
spoorcc marked this conversation as resolved.
],
"additionalDirectories": [
"/workspaces/dfetch/.claude"
Expand Down
3 changes: 3 additions & 0 deletions .readthedocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ build:
os: ubuntu-22.04
tools:
python: "3.13"
jobs:
post_checkout:
- if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then git fetch --unshallow; fi
apt_packages:
- texlive-latex-recommended
- texlive-fonts-recommended
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Release 0.14.0 (unreleased)
* Allow manifests with no ``projects`` key so ``dfetch add`` can bootstrap empty manifest (#1197)
* Fix ``ValueError`` when generating a PackageURL (e.g. for an SBOM) from an empty or path-only remote URL
* Fix SSH shorthand URLs (``git@host:path``) being incorrectly joined with ``/`` when used as ``url-base`` with ``repo-path`` (#1247)
* Run ``svn+ssh://`` connections in non-interactive mode to prevent hanging (#1230)

Release 0.13.0 (released 2026-03-30)
====================================
Expand Down
Loading
Loading