Merge branch 'main' into svn-ssh-non-onteractive

Author: spoorcc

CHANGELOG.rst

@@ -1,6 +1,7 @@
 Release 0.14.0 (unreleased)
 ===========================
 
+* Warn when a project URL uses a plaintext transport scheme (#1229)
 * Documentation and threat-model clarifications for existing release attestation support (#1208)
 * Report SVN externals fetched during update (#1220)
 * Use ``.cdx.json`` as the default extension for CycloneDX SBOM reports (#1118)
@@ -19,7 +20,8 @@ Release 0.14.0 (unreleased)
 * Fix arbitrary file write via malicious tar/zip symlink (#1152)
 * Prevent SSH command injection (#1152)
 * Allow manifests with no ``projects`` key so ``dfetch add`` can bootstrap empty manifest (#1197)
-* Run ``svn+ssh://`` connections in non-interactive mode to prevent hanging (#0)
+* Run ``svn+ssh://`` connections in non-interactive mode to prevent hanging (#1230)
+* SSH host key verification failures now display clearer error messages (#1230)
 
 Release 0.13.0 (released 2026-03-30)
 ====================================

dfetch/manifest/project.py

@@ -321,13 +321,38 @@
 import copy
 from collections.abc import Sequence
 from dataclasses import dataclass, field
+from urllib.parse import urlsplit, urlunsplit
 
 from typing_extensions import Required, TypedDict
 
+from dfetch.log import get_logger
 from dfetch.manifest.remote import Remote
 from dfetch.manifest.version import Version
 from dfetch.util.util import always_str_list, str_if_possible
 
+logger = get_logger(__name__)
+
+_PLAINTEXT_SCHEMES = frozenset({"http", "git", "svn"})
+
+
+def plaintext_warning(url: str) -> str:
+    """Return a warning string if *url* uses a plaintext transport, else empty string."""
+    parsed = urlsplit(url)
+    scheme = parsed.scheme.lower()
+    if scheme not in _PLAINTEXT_SCHEMES:
+        return ""
+    host = parsed.hostname or ""
+    try:
+        port = parsed.port
+    except ValueError:
+        port = None
+    netloc = f"{host}:{port}" if isinstance(port, int) else host
+    redacted_url = urlunsplit((scheme, netloc, parsed.path, "", ""))
+    return (
+        f"Project URL '{redacted_url}' uses plaintext transport ({scheme}://). "
+        "Use https:// or SSH (e.g. svn+ssh://) to prevent interception."
+    )
+
 
 @dataclass
 class Integrity:

dfetch/project/subproject.py

@@ -6,7 +6,7 @@
 from collections.abc import Callable, Sequence
 
 from dfetch.log import get_logger
-from dfetch.manifest.project import ProjectEntry
+from dfetch.manifest.project import ProjectEntry, plaintext_warning
 from dfetch.manifest.version import Version
 from dfetch.project.abstract_check_reporter import AbstractCheckReporter
 from dfetch.project.metadata import Dependency, InvalidMetadataError, Metadata
@@ -129,6 +129,8 @@ def update(
             f"Fetching {to_fetch}",
             enabled=self._show_animations,
         ):
+            if warning := plaintext_warning(self.__project.remote_url):
+                logger.print_warning_line(self.__project.name, warning)
             actually_fetched, dependency = self._fetch_impl(to_fetch)
         self._log_project(f"Fetched {actually_fetched}")
 
@@ -213,6 +215,8 @@ def check_for_update(
         with logger.status(
             self.__project.name, "Checking", enabled=self._show_animations
         ):
+            if warning := plaintext_warning(self.__project.remote_url):
+                logger.print_warning_line(self.__project.name, warning)
             latest_version = self._check_for_newer_version()
 
         if not latest_version:

dfetch/project/svnsubproject.py

@@ -9,6 +9,7 @@
 from dfetch.manifest.version import Version
 from dfetch.project.metadata import Dependency
 from dfetch.project.subproject import SubProject
+from dfetch.util.cmdline import SubprocessCommandError
 from dfetch.util.license import is_license_file
 from dfetch.util.util import (
     find_matching_files,
@@ -159,8 +160,16 @@ def _fetch_impl(self, version: Version) -> tuple[Version, list[Dependency]]:
 
     def _fetch_externals(self, complete_path: str, revision: str) -> list[Dependency]:
         """Detect and log SVN externals that were exported with the project."""
+        try:
+            externals = SvnRepo.externals_from_url(complete_path, revision)
+        except SubprocessCommandError:
+            logger.warning(
+                "Could not retrieve SVN externals from '%s' — skipping report.",
+                complete_path,
+            )
+            return []
         vcs_deps = []
-        for external in SvnRepo.externals_from_url(complete_path, revision):
+        for external in externals:
             path_display = "./" + external.path.lstrip("./")
             display_branch = external.branch or SvnRepo.DEFAULT_BRANCH
             self._log_project(

dfetch/util/cmdline.py

@@ -40,12 +40,22 @@ def run_on_cmdline(
     logger: logging.Logger,
     cmd: list[str],
     env: Mapping[str, str] | None = None,
+    timeout: float | None = None,
 ) -> "subprocess.CompletedProcess[Any]":
     """Run a command and log the output, and raise if something goes wrong."""
     logger.debug(f"Running {cmd}")
 
     try:
-        proc = subprocess.run(cmd, env=env, capture_output=True, check=True)  # nosec
+        proc = subprocess.run(
+            cmd, env=env, capture_output=True, check=True, timeout=timeout
+        )  # nosec
+    except subprocess.TimeoutExpired as exc:
+        raise SubprocessCommandError(
+            list(exc.cmd) if isinstance(exc.cmd, (list, tuple)) else [str(exc.cmd)],
+            "",
+            f"Command timed out after {exc.timeout:.0f}s",
+            124,
+        ) from exc
     except subprocess.CalledProcessError as exc:
         raise SubprocessCommandError(
             exc.cmd,

dfetch/vcs/svn.py

@@ -18,6 +18,7 @@
 logger = get_logger(__name__)
 
 _SSH_HOST_KEY_MSGS = ("host key verification failed", "authenticity of host")
+_EXTERNALS_QUERY_TIMEOUT = 30
 
 
 # As a cli tool, we can safely assume this remains stable during the runtime, caching for speed is better
@@ -45,11 +46,13 @@ def _raise_if_ssh_host_key_error(url: str, exc: SubprocessCommandError) -> None:
     """Raise a helpful RuntimeError if *exc* looks like an SSH host-key failure."""
     stderr_lower = exc.stderr.lower()
     if any(msg in stderr_lower for msg in _SSH_HOST_KEY_MSGS):
+        parsed = urlparse(url)
+        host_only = parsed.hostname or url
         target = _ssh_target_from_url(url)
         raise RuntimeError(
             f"SSH host key verification failed while connecting to '{url}'.\n"
             "Add the host to your known hosts file, for example by running:\n"
-            f"  ssh-keyscan {target} >> ~/.ssh/known_hosts\n"
+            f"  ssh-keyscan {host_only} >> ~/.ssh/known_hosts\n"
             "Or test the SSH connection manually:\n"
             f"  ssh -T {target}"
         ) from exc
@@ -134,7 +137,7 @@ def list_of_tags(self) -> list[str]:
             )
         except SubprocessCommandError as exc:
             _raise_if_ssh_host_key_error(self._remote, exc)
-            raise
+            return []
         return [
             str(tag).strip("/\r") for tag in result.stdout.decode().split("\n") if tag
         ]
@@ -205,7 +208,11 @@ def is_svn(self) -> bool:
         """Check if is SVN."""
         try:
             with in_directory(self._path):
-                run_on_cmdline(logger, ["svn", "info", "--non-interactive"])
+                run_on_cmdline(
+                    logger,
+                    ["svn", "info", "--non-interactive"],
+                    env=_extend_env_for_non_interactive_mode(),
+                )
             return True
         except (SubprocessCommandError, RuntimeError):
             return False
@@ -222,6 +229,7 @@ def externals(self) -> list[External]:
                     "svn:externals",
                     "-R",
                 ],
+                env=_extend_env_for_non_interactive_mode(),
             )
             repo_root = SvnRepo.get_info_from_target()["Repository Root"]
             return SvnRepo._parse_externals(
@@ -231,11 +239,23 @@ def externals(self) -> list[External]:
     @staticmethod
     def externals_from_url(url: str, revision: str = "") -> list[External]:
         """Get list of externals from a remote SVN URL."""
-        cmd = ["svn", "--non-interactive", "propget", "svn:externals", "-R"]
+        cmd = [
+            "svn",
+            "--non-interactive",
+            "propget",
+            "svn:externals",
+            "--depth",
+            "immediates",
+        ]
         if revision:
             cmd += ["--revision", revision]
         cmd += [url]
-        result = run_on_cmdline(logger, cmd, env=_extend_env_for_non_interactive_mode())
+        result = run_on_cmdline(
+            logger,
+            cmd,
+            env=_extend_env_for_non_interactive_mode(),
+            timeout=_EXTERNALS_QUERY_TIMEOUT,
+        )
         repo_root = SvnRepo.get_info_from_target(url)["Repository Root"]
         normalized = SvnRepo._normalize_url_prefix(result.stdout.decode(), url)
         return SvnRepo._parse_externals(normalized, repo_root)
@@ -518,7 +538,9 @@ def create_diff(
             )
 
         with in_directory(self._path):
-            patch_text = run_on_cmdline(logger, cmd).stdout
+            patch_text = run_on_cmdline(
+                logger, cmd, env=_extend_env_for_non_interactive_mode()
+            ).stdout
 
         if not patch_text.strip():
             return Patch.empty().convert_type(PatchType.SVN)
@@ -537,6 +559,7 @@ def get_username(self) -> str:
                     "author",
                     self._path,
                 ],
+                env=_extend_env_for_non_interactive_mode(),
             )
             return str(result.stdout.decode().strip())
         except SubprocessCommandError:

doc/explanation/security.rst

@@ -96,6 +96,12 @@ to reproduce a deterministic dependency state.
   allow exfiltration risks if upstream sources are compromised or intentionally
   malicious.
 
+.. note::
+
+   dfetch warns during dependency update/check operations when a project URL uses a plaintext
+   transport scheme (``http://``, ``git://``, or ``svn://``). Use ``https://``
+   or SSH (e.g. ``svn+ssh://``) to protect dependency fetches against interception.
+
 Threat Models
 -------------
 

doc/explanation/threat_model_usage.rst

@@ -721,7 +721,7 @@ Asset Identification
      - Process
      - High / High / High
    * - A-26: SVN Export (svn export)
-     - Runs ``svn export --non-interactive --force`` to check out SVN dependencies.  The ``--ignore-externals`` flag is NOT passed.  SVN repositories with ``svn:externals`` properties will trigger additional fetches from third-party SVN servers not declared in ``dfetch.yaml``.  After export, ``SvnSubProject._fetch_externals()`` queries the externals list and records each one as a ``Dependency`` with ``source_type='svn-external'`` — mirroring the metadata tracking that git submodules receive.  These fetches bypass dfetch's manifest controls: no integrity hash and no code review of the external URL (the URL comes from the upstream repository, not from ``dfetch.yaml``).
+     - Runs ``svn export --non-interactive --force`` to check out SVN dependencies.  For ``svn+ssh://`` URLs the ``SVN_SSH`` environment variable is extended with ``-o BatchMode=yes`` so the SSH client does not prompt for a host-key confirmation (``_extend_env_for_non_interactive_mode()``, ``dfetch/vcs/svn.py``).  The ``--ignore-externals`` flag is NOT passed.  SVN repositories with ``svn:externals`` properties will trigger additional fetches from third-party SVN servers not declared in ``dfetch.yaml``.  After export, ``SvnSubProject._fetch_externals()`` queries the externals list and records each one as a ``Dependency`` with ``source_type='svn-external'`` — mirroring the metadata tracking that git submodules receive.  These fetches bypass dfetch's manifest controls: no integrity hash and no code review of the external URL (the URL comes from the upstream repository, not from ``dfetch.yaml``).
      - Process
      - High / High / High
    * - A-27: Git Clone (git init / fetch / checkout)
@@ -1620,8 +1620,8 @@ Threats
      - | **Sev:** 🟠H
        | **Risk:** 🟠H
        | **STRIDE:** T I
-       | **Status:** Accept
-     - dfetch accepts ``http://``, ``svn://``, and other non-TLS scheme URLs; HTTPS enforcement is the manifest author's responsibility.  Accepted based on the **No HTTPS enforcement** assumption: HTTPS enforcement is the responsibility of the manifest author; dfetch accepts non-TLS scheme URLs as written and does not upgrade or reject them.
+       | **Status:** Mitigate
+     - C-009 emits a visible warning immediately before the VCS command when a plaintext scheme (``http://``, ``git://``, ``svn://``) is detected, with credentials redacted and ``https://`` / ``svn+ssh://`` recommended.  Detection only — dfetch does not reject or upgrade plaintext URLs; scheme selection remains the manifest author's responsibility.
    * - DFT-03
      - Path traversal in archive or patch extraction
      - A-26: SVN Export (svn export)
@@ -1660,8 +1660,8 @@ Threats
      - | **Sev:** 🟠H
        | **Risk:** 🟠H
        | **STRIDE:** T I
-       | **Status:** Accept
-     - dfetch accepts ``http://``, ``svn://``, and other non-TLS scheme URLs; HTTPS enforcement is the manifest author's responsibility.  Accepted based on the **No HTTPS enforcement** assumption: HTTPS enforcement is the responsibility of the manifest author; dfetch accepts non-TLS scheme URLs as written and does not upgrade or reject them.
+       | **Status:** Mitigate
+     - C-009 emits a visible warning immediately before the VCS command when a plaintext scheme (``http://``, ``git://``, ``svn://``) is detected, with credentials redacted and ``https://`` / ``svn+ssh://`` recommended.  Detection only — dfetch does not reject or upgrade plaintext URLs; scheme selection remains the manifest author's responsibility.
 
 
 Controls
@@ -1699,7 +1699,7 @@ Controls
    * - C-006
      - Non-interactive VCS
      - DFT-06
-     - ``GIT_TERMINAL_PROMPT=0``, ``BatchMode=yes`` for Git; ``--non-interactive`` for SVN.  Credential prompts are suppressed to prevent interactive hijacking in CI.  ``dfetch/vcs/git.py, dfetch/vcs/svn.py``
+     - ``GIT_TERMINAL_PROMPT=0``, ``BatchMode=yes`` for Git; ``--non-interactive`` for SVN.  For ``svn+ssh://`` connections, the ``SVN_SSH`` environment variable is extended with ``-o BatchMode=yes`` (via ``_extend_env_for_non_interactive_mode()`` in ``dfetch/vcs/svn.py``) to prevent the SSH client from prompting for a host-key confirmation and hanging the process.  Credential prompts are suppressed to prevent interactive hijacking in CI.  ``dfetch/vcs/git.py, dfetch/vcs/svn.py``
    * - C-007
      - Subprocess safety
      - DFT-06
@@ -1708,6 +1708,10 @@ Controls
      - Manifest input validation
      - DFT-04, DFT-08
      - StrictYAML schema with ``SAFE_STR = Regex(r"^[^\x00-\x1F\x7F-\x9F]*$")`` rejects control characters in all string fields.  ``dfetch/manifest/schema.py``
+   * - C-009
+     - Plaintext transport detection
+     - DFT-26
+     - ``plaintext_warning()`` (``dfetch/manifest/project.py``) inspects the resolved remote URL immediately before each VCS command is issued (inside the ``check_for_update`` and ``update`` spinners in ``subproject.py``).  If the scheme is ``http://``, ``git://``, or ``svn://``, a visible warning is emitted naming the redacted URL (credentials stripped from the userinfo component) and recommending ``https://`` or ``svn+ssh://``.  Detection only — dfetch still proceeds with the plaintext connection; the control raises user awareness but does not enforce scheme selection.  ``dfetch/manifest/project.py, dfetch/project/subproject.py``
    * - C-034
      - Hash algorithm allowlist (SHA-256/384/512 only)
      - DFT-30

example/dfetch.yaml

@@ -7,7 +7,7 @@ manifest:
     default: true                                                 # Set it as default
 
   - name: sourceforge
-    url-base: svn+ssh://svn.code.sf.net/p/
+    url-base: svn://svn.code.sf.net/p/
 
   projects:
 

features/check-svn-repo.feature

@@ -11,7 +11,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cunit
-                  url-base: svn://svn.code.sf.net/p/cunit/code
+                  url-base: https://svn.code.sf.net/p/cunit/code
 
               projects:
                 - name: cunit-svn-rev-only
@@ -44,7 +44,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
               projects:
                 - name: cutter-svn-tag
@@ -69,7 +69,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cunit
-                  url-base: svn://svn.code.sf.net/p/cunit/code
+                  url-base: https://svn.code.sf.net/p/cunit/code
                   default: true
 
               projects:
@@ -152,7 +152,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
               projects:
                 - name: cutter-svn-tag