asf-tooling opened a new issue, #982:
URL: https://github.com/apache/tooling-trusted-releases/issues/982
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
Git clone operations for source tree comparison lack explicit network
timeouts. While worker process limits provide coarse protection (300s
wall-clock timeout), hung git operations consume worker threads until the
entire worker process is killed. The `git_client.fetch()` operation has no
timeout configured.
### Details
**Affected Files and Lines:**
- `atr/tasks/checks/compare.py:170-185` - Git clone without timeout
The git clone operation can hang indefinitely on network issues, consuming
worker resources until process-level timeout kills the entire worker.
### Recommended Remediation
Wrap the `asyncio.to_thread(_clone_repo, ...)` call with
`asyncio.wait_for()` using a 120-second timeout:
```python
try:
repo = await asyncio.wait_for(
asyncio.to_thread(_clone_repo, url, target_dir),
timeout=120
)
except asyncio.TimeoutError:
log.error('Git clone timed out', extra={'url': url})
return None
```
Add configuration option `GIT_CLONE_TIMEOUT` with default 120 seconds.
Handle TimeoutError and return None to indicate failure.
### Acceptance Criteria
- [ ] Timeout wrapper added
- [ ] Timeout configurable
- [ ] TimeoutError handled gracefully
- [ ] Failure indicated by None return
- [ ] Integration test verifies timeout
- [ ] Unit test verifying the fix
### References
- Source reports: L2:15.2.2.md
- Related findings: FINDING-193
- ASVS sections: 15.2.2
### Priority
High
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
