nevaforget/sshfs_connect
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: harden ssh_config handling, mount path, and CLI UX from audit findings
Update PKGBUILD version / update-pkgver (push) Successful in 3s
Details

Browse Source 
Three rounds of audit-driven hardening, fully documented in DECISIONS.md:

- argv hardening: validate HostName/User/IdentityFile via allowlist regexes,
  parse Port via strconv.Atoi, surface ssh_config parse errors instead of
  silently swallowing them. Switch -o kernel_cache to auto_cache for network-
  FS correctness, pin StrictHostKeyChecking=accept-new.
- LOW-severity cleanup: -v verbose flag (default output is just the mount
  path), run_editor returns errors and main exits 7 on failure, ABOUTME
  headers, golang.org/x/sys v0.43.0 (go 1.25.0).
- Defense-in-depth + UX: rxIdentityFile first-character anchor rejects
  leading "-"/"."/":"/etc., verify_mount_dir resolves base via EvalSymlinks
  and refuses pre-existing symlinks at the mount path, flag.Usage shows the
  positional <Host> argument, run_editor uses cmd.Start() so cold-start
  Sublime does not block the terminal.
- CI: empty-PKGVER guard in update-pkgver workflow.
- Tests: verify_mount_dir path-traversal + symlink-reject coverage,
  rxHostUser/rxIdentityFile boundary cases.
This commit is contained in:
nevaforget
2026-04-26 11:24:45 +02:00
parent 967d5d74cc
commit d01a358f35
7 changed files with 350 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+9 -5
View File
@@ -22,7 +22,7 @@ install -Dm755 sshfsc /usr/local/bin/sshfsc
# Dependencies
- [SSHFS](https://wiki.archlinux.org/title/SSHFS)
- [Go](https://wiki.archlinux.org/title/Go) (build-time)
- [Go](https://wiki.archlinux.org/title/Go) >= 1.25 (build-time)
# Usage
@@ -32,11 +32,15 @@ sshfsc <Host>
## Arguments
| Flag | Description |
| ------------- | ------------- |
| -e | open mountpoint in your editor |
| Flag | Description |
| ---- | ----------- |
| `-e` | open mountpoint in your editor |
| `-v` | verbose: print resolved ssh_config fields (HostName, User, Port, IdentityFile) |
Editor Sublime-Text (subl) is currently hardcoded. [See](https://gitea.moonarch.de/nevaforget/sshfs_connect/issues/1)
By default only the resolved mount path is printed. Use `-v` for the full
ssh_config dump.
Editor Sublime-Text (`subl`) is currently hardcoded. [See](https://gitea.moonarch.de/nevaforget/sshfs_connect/issues/1)
# Example ssh config