Merge branch 'main' into svn-ssh-non-onteractive

spoorcc · spoorcc · commit 81387c8bbb27 · 2026-06-01T20:02:17.000Z
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,7 @@
 Release 0.14.0 (unreleased)
 ===========================
 
+* Warn when a project URL uses a plaintext transport scheme (#1229)
 * Documentation and threat-model clarifications for existing release attestation support (#1208)
 * Report SVN externals fetched during update (#1220)
 * Use ``.cdx.json`` as the default extension for CycloneDX SBOM reports (#1118)
@@ -19,7 +20,7 @@ Release 0.14.0 (unreleased)
 * Fix arbitrary file write via malicious tar/zip symlink (#1152)
 * Prevent SSH command injection (#1152)
 * Allow manifests with no ``projects`` key so ``dfetch add`` can bootstrap empty manifest (#1197)
-* Run ``svn+ssh://`` connections in non-interactive mode to prevent hanging (#0)
+* Run ``svn+ssh://`` connections in non-interactive mode to prevent hanging (#1230)
 
 Release 0.13.0 (released 2026-03-30)
 ====================================
diff --git a/dfetch/manifest/project.py b/dfetch/manifest/project.py
@@ -321,13 +321,38 @@
 import copy
 from collections.abc import Sequence
 from dataclasses import dataclass, field
+from urllib.parse import urlsplit, urlunsplit
 
 from typing_extensions import Required, TypedDict
 
+from dfetch.log import get_logger
 from dfetch.manifest.remote import Remote
 from dfetch.manifest.version import Version
 from dfetch.util.util import always_str_list, str_if_possible
 
+logger = get_logger(__name__)
+
+_PLAINTEXT_SCHEMES = frozenset({"http", "git", "svn"})
+
+
+def plaintext_warning(url: str) -> str:
+    """Return a warning string if *url* uses a plaintext transport, else empty string."""
+    parsed = urlsplit(url)
+    scheme = parsed.scheme.lower()
+    if scheme not in _PLAINTEXT_SCHEMES:
+        return ""
+    host = parsed.hostname or ""
+    try:
+        port = parsed.port
+    except ValueError:
+        port = None
+    netloc = f"{host}:{port}" if isinstance(port, int) else host
+    redacted_url = urlunsplit((scheme, netloc, parsed.path, "", ""))
+    return (
+        f"Project URL '{redacted_url}' uses plaintext transport ({scheme}://). "
+        "Use https:// or SSH (e.g. svn+ssh://) to prevent interception."
+    )
+
 
 @dataclass
 class Integrity:
diff --git a/dfetch/project/subproject.py b/dfetch/project/subproject.py
@@ -6,7 +6,7 @@
 from collections.abc import Callable, Sequence
 
 from dfetch.log import get_logger
-from dfetch.manifest.project import ProjectEntry
+from dfetch.manifest.project import ProjectEntry, plaintext_warning
 from dfetch.manifest.version import Version
 from dfetch.project.abstract_check_reporter import AbstractCheckReporter
 from dfetch.project.metadata import Dependency, InvalidMetadataError, Metadata
@@ -129,6 +129,8 @@ def update(
             f"Fetching {to_fetch}",
             enabled=self._show_animations,
         ):
+            if warning := plaintext_warning(self.__project.remote_url):
+                logger.print_warning_line(self.__project.name, warning)
             actually_fetched, dependency = self._fetch_impl(to_fetch)
         self._log_project(f"Fetched {actually_fetched}")
 
@@ -213,6 +215,8 @@ def check_for_update(
         with logger.status(
             self.__project.name, "Checking", enabled=self._show_animations
         ):
+            if warning := plaintext_warning(self.__project.remote_url):
+                logger.print_warning_line(self.__project.name, warning)
             latest_version = self._check_for_newer_version()
 
         if not latest_version:
diff --git a/dfetch/vcs/svn.py b/dfetch/vcs/svn.py
@@ -45,11 +45,13 @@ def _raise_if_ssh_host_key_error(url: str, exc: SubprocessCommandError) -> None:
     """Raise a helpful RuntimeError if *exc* looks like an SSH host-key failure."""
     stderr_lower = exc.stderr.lower()
     if any(msg in stderr_lower for msg in _SSH_HOST_KEY_MSGS):
+        parsed = urlparse(url)
+        host_only = parsed.hostname or url
         target = _ssh_target_from_url(url)
         raise RuntimeError(
             f"SSH host key verification failed while connecting to '{url}'.\n"
             "Add the host to your known hosts file, for example by running:\n"
-            f"  ssh-keyscan {target} >> ~/.ssh/known_hosts\n"
+            f"  ssh-keyscan {host_only} >> ~/.ssh/known_hosts\n"
             "Or test the SSH connection manually:\n"
             f"  ssh -T {target}"
         ) from exc
@@ -134,7 +136,7 @@ def list_of_tags(self) -> list[str]:
             )
         except SubprocessCommandError as exc:
             _raise_if_ssh_host_key_error(self._remote, exc)
-            raise
+            return []
         return [
             str(tag).strip("/\r") for tag in result.stdout.decode().split("\n") if tag
         ]
@@ -205,7 +207,11 @@ def is_svn(self) -> bool:
         """Check if is SVN."""
         try:
             with in_directory(self._path):
-                run_on_cmdline(logger, ["svn", "info", "--non-interactive"])
+                run_on_cmdline(
+                    logger,
+                    ["svn", "info", "--non-interactive"],
+                    env=_extend_env_for_non_interactive_mode(),
+                )
             return True
         except (SubprocessCommandError, RuntimeError):
             return False
@@ -222,6 +228,7 @@ def externals(self) -> list[External]:
                     "svn:externals",
                     "-R",
                 ],
+                env=_extend_env_for_non_interactive_mode(),
             )
             repo_root = SvnRepo.get_info_from_target()["Repository Root"]
             return SvnRepo._parse_externals(
@@ -518,7 +525,9 @@ def create_diff(
             )
 
         with in_directory(self._path):
-            patch_text = run_on_cmdline(logger, cmd).stdout
+            patch_text = run_on_cmdline(
+                logger, cmd, env=_extend_env_for_non_interactive_mode()
+            ).stdout
 
         if not patch_text.strip():
             return Patch.empty().convert_type(PatchType.SVN)
@@ -537,6 +546,7 @@ def get_username(self) -> str:
                     "author",
                     self._path,
                 ],
+                env=_extend_env_for_non_interactive_mode(),
             )
             return str(result.stdout.decode().strip())
         except SubprocessCommandError:
diff --git a/doc/explanation/security.rst b/doc/explanation/security.rst
@@ -96,6 +96,12 @@ to reproduce a deterministic dependency state.
   allow exfiltration risks if upstream sources are compromised or intentionally
   malicious.
 
+.. note::
+
+   dfetch warns during dependency update/check operations when a project URL uses a plaintext
+   transport scheme (``http://``, ``git://``, or ``svn://``). Use ``https://``
+   or SSH (e.g. ``svn+ssh://``) to protect dependency fetches against interception.
+
 Threat Models
 -------------
 
diff --git a/example/dfetch.yaml b/example/dfetch.yaml
@@ -7,7 +7,7 @@ manifest:
     default: true                                                 # Set it as default
 
   - name: sourceforge
-    url-base: svn+ssh://svn.code.sf.net/p/
+    url-base: svn://svn.code.sf.net/p/
 
   projects:
 
diff --git a/features/check-svn-repo.feature b/features/check-svn-repo.feature
@@ -11,7 +11,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cunit
-                  url-base: svn://svn.code.sf.net/p/cunit/code
+                  url-base: https://svn.code.sf.net/p/cunit/code
 
               projects:
                 - name: cunit-svn-rev-only
@@ -44,7 +44,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
               projects:
                 - name: cutter-svn-tag
@@ -69,7 +69,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cunit
-                  url-base: svn://svn.code.sf.net/p/cunit/code
+                  url-base: https://svn.code.sf.net/p/cunit/code
                   default: true
 
               projects:
@@ -152,7 +152,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
               projects:
                 - name: cutter-svn-tag
diff --git a/features/fetch-svn-repo.feature b/features/fetch-svn-repo.feature
@@ -17,11 +17,11 @@ Feature: Fetching dependencies from a svn repository
 
               remotes:
                 - name: cunit
-                  url-base: svn://svn.code.sf.net/p/cunit/code
+                  url-base: https://svn.code.sf.net/p/cunit/code
                   default: true
 
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
               projects:
                 - name: cunit-svn-rev-only
diff --git a/features/freeze-projects.feature b/features/freeze-projects.feature
@@ -44,7 +44,7 @@ Feature: Freeze dependencies
               projects:
                 - name: cunit-svn
                   vcs: svn
-                  url: svn://svn.code.sf.net/p/cunit/code
+                  url: https://svn.code.sf.net/p/cunit/code
 
             """
         And all projects are updated
@@ -59,7 +59,7 @@ Feature: Freeze dependencies
                 branch: trunk
                 revision: '176'
                 vcs: svn
-                url: svn://svn.code.sf.net/p/cunit/code
+                url: https://svn.code.sf.net/p/cunit/code
 
             """
 
diff --git a/features/list-projects.feature b/features/list-projects.feature
@@ -58,7 +58,7 @@ Feature: List dependencies
 
               projects:
                 - name: cutter-svn-tag
-                  url: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url: https://svn.code.sf.net/p/cutter/svn/cutter
                   tag: 1.1.7
                   vcs: svn
                   src: acmacros
@@ -71,7 +71,7 @@ Feature: List dependencies
             Dfetch (0.13.0)
               cutter-svn-tag:
               - remote            : <none>
-                remote url        : svn://svn.code.sf.net/p/cutter/svn/cutter
+                remote url        : https://svn.code.sf.net/p/cutter/svn/cutter
                 branch            : <none>
                 tag               : 1.1.7
                 last fetch        : 29/12/2024, 20:09:21
diff --git a/features/patch-after-fetch-svn.feature b/features/patch-after-fetch-svn.feature
@@ -12,7 +12,7 @@ Feature: Patch after fetching from svn repo
 
                 remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
                 projects:
                 - name: cutter
@@ -46,7 +46,7 @@ Feature: Patch after fetching from svn repo
 
                 remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
                 projects:
                 - name: cutter
diff --git a/pyproject.toml b/pyproject.toml
@@ -83,7 +83,7 @@ development = [
     "tomli; python_version < '3.11'", # Tomllib is default in 3.11, required for letting codespell read the pyproject.toml
     'pre-commit==4.6.0',
     'ruff==0.15.14',
-    'hypothesis==6.152.9',
+    'hypothesis==6.152.10',
     'import-linter==2.11',
 ]
 docs = [
diff --git a/security/tm_usage.py b/security/tm_usage.py
@@ -370,7 +370,7 @@ def _make_usage_vcs_dataflows(
         "``git fetch`` over ``http://`` or SVN over ``svn://`` (plain, non-TLS).  "
         "dfetch accepts these protocols without enforcement - no TLS check in manifest "
         "schema.  Traffic is unencrypted; MITM can substitute repository content.  "
-        "RECOMMENDATION: restrict manifest URLs to HTTPS / svn+https:// / SSH."
+        "RECOMMENDATION: restrict manifest URLs to ``https://`` or ``svn+ssh://``."
     )
     df03_plain.protocol = "HTTP / SVN"
     df03_plain.controls.isEncrypted = False
@@ -958,6 +958,24 @@ def build_model() -> TM:
             "rejects control characters in all string fields."
         ),
     ),
+    Control(
+        id="C-009",
+        name="Plaintext transport detection",
+        assets=["A-09", "A-22"],
+        threats=["DFT-26"],
+        reference="dfetch/manifest/project.py, dfetch/project/subproject.py",
+        description=(
+            "``plaintext_warning()`` (``dfetch/manifest/project.py``) inspects the "
+            "resolved remote URL immediately before each VCS command is issued "
+            "(inside the ``check_for_update`` and ``update`` spinners in "
+            "``subproject.py``).  If the scheme is ``http://``, ``git://``, or "
+            "``svn://``, a visible warning is emitted naming the redacted URL "
+            "(credentials stripped from the userinfo component) and recommending "
+            "``https://`` or ``svn+ssh://``.  "
+            "Detection only — dfetch still proceeds with the plaintext connection; "
+            "the control raises user awareness but does not enforce scheme selection."
+        ),
+    ),
     Control(
         id="C-034",
         name="Hash algorithm allowlist (SHA-256/384/512 only)",
@@ -1291,15 +1309,15 @@ def build_model() -> TM:
     ),
     ThreatResponse(
         "DFT-26",
-        "accept",
+        "mitigate",
         risk="High",
         stride=["Tampering", "Information Disclosure"],
         note=(
-            "dfetch accepts ``http://``, ``svn://``, and other non-TLS scheme URLs; "
-            "HTTPS enforcement is the manifest author's responsibility.  "
-            "Accepted based on the **No HTTPS enforcement** assumption: HTTPS enforcement "
-            "is the responsibility of the manifest author; dfetch accepts non-TLS scheme "
-            "URLs as written and does not upgrade or reject them."
+            "C-009 emits a visible warning immediately before the VCS command when a "
+            "plaintext scheme (``http://``, ``git://``, ``svn://``) is detected, "
+            "with credentials redacted and ``https://`` / ``svn+ssh://`` recommended.  "
+            "Detection only — dfetch does not reject or upgrade plaintext URLs; "
+            "scheme selection remains the manifest author's responsibility."
         ),
     ),
     ThreatResponse(
diff --git a/tests/test_manifest.py b/tests/test_manifest.py
@@ -18,7 +18,7 @@
     RequestedProjectNotFoundError,
 )
 from dfetch.manifest.parse import find_manifest, get_submanifests
-from dfetch.manifest.project import ProjectEntry, ProjectEntryDict
+from dfetch.manifest.project import ProjectEntry, ProjectEntryDict, plaintext_warning
 from dfetch.manifest.remote import Remote
 
 BASIC_MANIFEST = """
@@ -406,6 +406,36 @@ def test_remove_last_project_updates_manifest_with_empty_list() -> None:
     assert not manifest.projects
 
 
+# ---------------------------------------------------------------------------
+# Plaintext URL transport warnings (DFT-01)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.parametrize(
+    "plaintext_url",
+    [
+        "http://git.example.com/org/repo",
+        "git://git.example.com/org/repo",
+        "svn://svn.example.com/repo/trunk",
+    ],
+)
+def test_plaintext_warning_for_plaintext_scheme(plaintext_url: str) -> None:
+    """plaintext_warning returns a non-empty message for plaintext schemes."""
+    assert "plaintext transport" in plaintext_warning(plaintext_url)
+
+
+def test_plaintext_warning_empty_for_https() -> None:
+    """plaintext_warning returns empty string for HTTPS URLs."""
+    assert plaintext_warning("https://git.example.com/org/repo") == ""
+
+
+def test_plaintext_warning_redacts_credentials() -> None:
+    """Credentials embedded in a plaintext URL are not exposed in the warning."""
+    warning = plaintext_warning("http://user:secret@git.example.com/repo")
+    assert "plaintext transport" in warning
+    assert "secret" not in warning
+
+
 # ---------------------------------------------------------------------------
 # Empty manifest (no projects key)
 # ---------------------------------------------------------------------------
diff --git a/tests/test_svn.py b/tests/test_svn.py
