Skip to content

fix: add openssh-client for git repo test#148

Merged
lintsinghua merged 1 commit intolintsinghua:v3.0.0from
tusik:v3.0.0
Feb 9, 2026
Merged

fix: add openssh-client for git repo test#148
lintsinghua merged 1 commit intolintsinghua:v3.0.0from
tusik:v3.0.0

Conversation

@tusik
Copy link
Copy Markdown
Contributor

@tusik tusik commented Jan 28, 2026
edited by qodo-free-for-open-source-projects Bot
Loading

User description

修复测试测试git ssh连通性时缺少ssh命令的问题,需要用到ssh测试连通性

PR Type

Bug fix

Description

  • Add openssh-client dependency to Docker image

  • Enables SSH connectivity testing for Git repositories

  • Resolves missing SSH command in test environment

Diagram Walkthrough

flowchart LR
  A["Docker Build"] -- "missing SSH" --> B["Git SSH Test Fails"]
  C["Add openssh-client"] -- "provides ssh command" --> D["Git SSH Test Works"]
Loading

File Walkthrough
Relevant files
Bug fix
Dockerfile
Add openssh-client to Docker dependencies                               

backend/Dockerfile

  • Added openssh-client package to apt-get install dependencies
  • Placed between git and libpango-1.0-0 packages
  • Enables SSH command availability in Docker container for Git SSH
    connectivity tests
 +1/-0     

@tusik
fix: add openssh-client for git repo test
b82a55e 
测试git ssh连通性时需要用到ssh
@vercel
Copy link
Copy Markdown

vercel Bot commented Jan 28, 2026

@tusik is attempting to deploy a commit to the tsinghuaiiilove-2257's projects Team on Vercel.

A member of the Team first needs to authorize it.

@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects Bot commented Jan 28, 2026

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢
No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
🎫 No ticket provided
  • Create ticket/issue
Codebase Duplication Compliance
Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance
🟢
Generic: Comprehensive Audit Trails

Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Meaningful Naming and Self-Documenting Code

Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Robust Error Handling and Edge Case Management

Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Error Handling

Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Secure Logging Practices

Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules

Generic: Security-First Input Validation and Data Handling

Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities

Status: Passed

Learn more about managing compliance generic rules or creating your own custom rules
Compliance status legend 🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects Bot commented Jan 28, 2026

PR Code Suggestions ✨

No code suggestions found for the PR.

@lintsinghua lintsinghua reopened this Feb 9, 2026
@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects Bot commented Feb 9, 2026

Review Summary by Qodo

Add openssh-client package for Git SSH testing

🐞 Bug fix

Grey Divider

Walkthroughs

Description 
• Add openssh-client package to Docker image
• Enables SSH connectivity testing for Git repositories
• Resolves missing SSH command dependency in tests
Diagram 
flowchart LR
  A["Docker Build"] -- "Install Dependencies" --> B["Add openssh-client"]
  B -- "Enable SSH Testing" --> C["Git SSH Connectivity"]
Loading

Grey Divider

File Changes

1. backend/Dockerfile 🐞 Bug fix +1/-0

Add openssh-client to Docker dependencies

• Added openssh-client package to apt-get install list
• Placed between git and libpango-1.0-0 dependencies
• Enables SSH command availability for Git repository SSH connectivity tests

backend/Dockerfile

Grey Divider

Qodo Logo

@lintsinghua lintsinghua merged commit 029f616 into lintsinghua:v3.0.0 Feb 9, 2026
1 check failed
@qodo-free-for-open-source-projects
Copy link
Copy Markdown

qodo-free-for-open-source-projects Bot commented Feb 9, 2026

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Remediation recommended

1. SSH host keys not pinned 🐞 Bug ⛨ Security
Description 
• The runtime image now ships an SSH client, enabling the backend’s Git-over-SSH code path in
  production containers.
• The clone implementation uses StrictHostKeyChecking=accept-new, which auto-trusts the first-seen
  host key; if the network/DNS is compromised during first connect (or after known_hosts is
  cleared), an attacker can potentially MITM the clone.
• Because the codebase also supports clearing known_hosts, this “first trust” event can recur,
  increasing practical exposure.
Code

backend/Dockerfile[87]

+        openssh-client \
Evidence 
The Dockerfile change installs openssh-client in the runtime stage, which makes the backend’s
ssh-based GIT_SSH_COMMAND cloning path work in production. That cloning path explicitly sets
StrictHostKeyChecking=accept-new and uses a writable/persisted known_hosts file that can be
cleared, re-enabling first-connect trust.

backend/Dockerfile[81-88]
backend/app/services/git_ssh_service.py[375-390]
backend/app/services/git_ssh_service.py[112-124]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The backend’s SSH clone path uses `StrictHostKeyChecking=accept-new` (trust-on-first-use). With `openssh-client` now present in the runtime image, production containers will be able to perform SSH clones, and the first connection (or any connection after `known_hosts` is cleared) may be vulnerable to MITM.

### Issue Context
- `openssh-client` is installed in the runtime image.
- SSH cloning sets `GIT_SSH_COMMAND` with `StrictHostKeyChecking=accept-new` and a writable `UserKnownHostsFile`.
- The codebase supports clearing `known_hosts`, which can re-trigger first-connect trust.

### Fix Focus Areas
- backend/app/services/git_ssh_service.py[375-390]
- backend/app/services/git_ssh_service.py[112-124]
- backend/Dockerfile[81-88]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Review effort 1/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tusik @lintsinghua