fix: warn when sudo password is ignored outside exec by inureyes · Pull Request #202 · lablup/bssh

inureyes · 2026-05-15T08:14:02Z

Summary

Follow-up to fix: collect --password once up-front and honor -S consistently across subcommands #201 / fix: collect --password once up-front instead of per-connection; honor -S consistently across subcommands #200 after review of the merged implementation.
Warn for -S on interactive shells, where automatic sudo-response injection is not implemented and the flag was previously silently ignored.
Avoid collecting --password in dispatcher paths that do not create SSH connections (list, cache-stats) if dispatch_command() is called directly.
Add dispatcher unit tests covering sudo/SSH password applicability decisions.

Review Notes

Correctness: fix: collect --password once up-front and honor -S consistently across subcommands #201 correctly hoists SSH password collection and threads Arc<Password> through exec, ping, SFTP, interactive, jump-host, and legacy command paths. This PR closes the remaining applicability gap for ignored flags.
Security: no new secret logging or command execution surface is introduced. The change reduces unnecessary secret collection on local-only paths.
Performance: no hot-path overhead beyond small boolean helper checks before dispatch.

Test Plan

cargo test --bin bssh dispatcher::tests
cargo test --lib security::password
cargo test --lib ssh::auth
cargo test --lib jump::chain
cargo test --lib
cargo test --bin bssh
cargo fmt --all -- --check
cargo check --lib --bins --tests
cargo clippy --lib --bins --tests -- -D warnings

Tighten the issue #200 follow-up so -S is treated as applicable only for exec paths that can actually inject sudo responses. Interactive shells now warn instead of silently ignoring the flag, and local-only dispatcher paths avoid collecting an unused SSH password. Tests cover the sudo and SSH password applicability helpers for exec, interactive, ping, list, and cache-stat paths.

Remove an unnecessary into_iter call in the internal SFTP crate so the repository-level CI command cargo clippy -- -D warnings passes on the newer clippy version used by GitHub Actions.

inureyes · 2026-05-15T08:31:13Z

Review / Finalization Summary

Scope Reviewed

Reviewed merged fix: collect --password once up-front and honor -S consistently across subcommands #201 against issue fix: collect --password once up-front instead of per-connection; honor -S consistently across subcommands #200 acceptance criteria: single up-front --password collection, shared password propagation through exec/ping/SFTP/interactive/jump-host paths, BSSH_PASSWORD handling, and -S ignored-flag behavior.
Verified the implementation uses Password backed by secrecy::SecretString, redacts debug output at the wrapper layer, and threads credentials via Arc<Password> instead of prompting inside parallel per-node tasks.

Findings

Correctness gap fixed here: -S was still silently ignored for interactive shells / SSH-mode no-command sessions, because sudo response injection only exists in exec streaming paths.
Defensive cleanup fixed here: local-only dispatcher paths now avoid collecting an unused --password if dispatch_command() is invoked directly for list or cache-stats.
CI-only issue fixed here: GitHub Actions uses a newer clippy that rejects an existing .chain(files.into_iter()) in the internal SFTP crate; the no-op conversion was removed.

Security Review

No new credential logging or command execution surface introduced.
The follow-up reduces unnecessary secret collection on local-only paths.
Existing BSSH_PASSWORD env-var behavior remains documented as automation-only and discouraged for production.

Performance Review

Dispatcher changes are constant-time flag checks before command routing.
SFTP clippy fix is behavior-preserving and allocation-neutral.

Validation

cargo test --bin bssh dispatcher::tests: passed
cargo test --lib security::password: passed
cargo test --lib ssh::auth: passed
cargo test --lib jump::chain: passed
cargo test --lib: passed (1233 passed, 9 ignored)
cargo test --bin bssh: passed (51 passed)
cargo fmt --all -- --check: passed
cargo check --lib --bins --tests: passed
cargo clippy --lib --bins --tests -- -D warnings: passed
cargo clippy -- -D warnings: passed
cargo test -p bssh-russh-sftp --lib: passed (5 passed)
cargo test --tests --verbose -- --skip integration_test: passed
GitHub Actions CI: passed
GitHub license/cla: passed

Remaining Risk

No unresolved review findings remain for fix: collect --password once up-front instead of per-connection; honor -S consistently across subcommands #200 / fix: collect --password once up-front and honor -S consistently across subcommands #201 follow-up.

inureyes added 2 commits May 15, 2026 17:13

fix: satisfy workspace clippy on CI

c16f2e3

Remove an unnecessary into_iter call in the internal SFTP crate so the repository-level CI command cargo clippy -- -D warnings passes on the newer clippy version used by GitHub Actions.

inureyes merged commit ddef3aa into main May 15, 2026
2 checks passed

inureyes deleted the fix/issue-200-sudo-interactive-warning branch May 15, 2026 08:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: warn when sudo password is ignored outside exec#202

fix: warn when sudo password is ignored outside exec#202
inureyes merged 2 commits into
mainfrom
fix/issue-200-sudo-interactive-warning

inureyes commented May 15, 2026

Uh oh!

inureyes commented May 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

inureyes commented May 15, 2026

Summary

Review Notes

Test Plan

Uh oh!

inureyes commented May 15, 2026

Review / Finalization Summary

Scope Reviewed

Findings

Security Review

Performance Review

Validation

Remaining Risk

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant