PyPI - sdev - Versions diffs - 1.0.1__tar.gz → 1.0.3__tar.gz - Mend

sdev 1.0.1tar.gz → 1.0.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

{sdev-1.0.1 → sdev-1.0.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sdev
-Version: 1.0.1
+Version: 1.0.3
 Summary: Small toolkit for automating a serial-attached Linux shell
 Author-email: klrc <1440698245@qq.com>
 License-Expression: MIT

{sdev-1.0.1 → sdev-1.0.3}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "sdev"
-version = "1.0.1"
+version = "1.0.3"
 description = "Small toolkit for automating a serial-attached Linux shell"
 readme = "README.md"
 license = "MIT"

{sdev-1.0.1 → sdev-1.0.3}/sdev/__init__.py RENAMED Viewed

@@ -21,13 +21,14 @@ CLI::
 from __future__ import annotations
-__version__ = "1.0.1"
+__version__ = "1.0.3"
 import time
 import re
 import os
 import sys
 import glob
+import shlex
 import serial
 import threading
 from pathlib import Path
@@ -83,6 +84,9 @@ CONFIG_FILE = CONFIG_DIR / "defaults.json"
 MAX_BUFFER_SIZE = 65536  # 64KB
 TRIM_BUFFER_SIZE = 32768  # Keep last 32KB after trim
+NETWORK_GUARD_MARKER = "[sdev network guard]"
+_NETWORK_GUARD_DISABLE_VALUES = {"0", "false", "False", "no", "NO", "off", "OFF"}
 # ---------------------------------------------------------------------------
 # Data types
@@ -154,6 +158,113 @@ def _prompt_detected(buf: bytes) -> bool:
     return False
+_RISKY_NETWORK_RE = re.compile(
+    r"""
+    (?:
+        ifconfig\s+\S+\s+(?:down|up|hw\s+ether|(?:\d{1,3}\.){3}\d{1,3}|netmask)
+      | ip\s+(?:addr|address|link|route)\b[^\n;&|]*\b(?:add|del|delete|flush|set|replace|change|down|up)\b
+      | route\s+(?:add|del|delete)\b
+      | udhcpc\b
+      | dhclient\b
+      | nmcli\b
+      | netplan\s+apply\b
+      | /etc/init\.d/network(?:ing)?\b
+      | service\s+network(?:ing)?\b
+      | systemctl\s+(?:restart|reload|stop|start)\s+network(?:ing)?\b
+    )
+    """,
+    re.VERBOSE,
+)
+_GLOBAL_NETWORK_RE = re.compile(
+    r"""
+    \b(
+        ip\s+route\s+(?:flush|replace|change|del|delete)\b
+      | route\s+(?:add|del|delete)\b
+      | udhcpc\b
+      | dhclient\b
+      | nmcli\b
+      | netplan\s+apply\b
+      | /etc/init\.d/network(?:ing)?\b
+      | service\s+network(?:ing)?\b
+      | systemctl\s+(?:restart|reload|stop|start)\s+network(?:ing)?\b
+    )
+    """,
+    re.VERBOSE,
+)
+def _extract_network_ifaces(command: str) -> set[str]:
+    """Best-effort extraction of interfaces modified by a shell command."""
+    ifaces: set[str] = set()
+    iface = r"([A-Za-z0-9_.:-]+)"
+    patterns = [
+        rf"\bifconfig\s+{iface}\s+(?:down|up|hw\s+ether|(?:\d{{1,3}}\.){{3}}\d{{1,3}}|netmask)",
+        rf"\bip\s+link\s+set\s+(?:dev\s+)?{iface}\b",
+        rf"\bip\s+(?:addr|address)\b[^\n;&|]*\bdev\s+{iface}\b",
+        rf"\bip\s+route\b[^\n;&|]*\bdev\s+{iface}\b",
+        rf"\budhcpc\b[^\n;&|]*\s-i\s*{iface}\b",
+        rf"\bdhclient\b[^\n;&|]*\s{iface}\b",
+    ]
+    for pattern in patterns:
+        for match in re.finditer(pattern, command):
+            value = match.group(1)
+            if value and not value.startswith("$"):
+                ifaces.add(value)
+    return ifaces
+def _network_guard_enabled(network_guard: Optional[bool]) -> bool:
+    if network_guard is not None:
+        return network_guard
+    return os.environ.get("SDEV_NETWORK_GUARD", "1") not in _NETWORK_GUARD_DISABLE_VALUES
+def _guard_network_command(command: str, network_guard: Optional[bool]) -> str:
+    """Wrap risky network mutations with an NFS-route preflight."""
+    if not _network_guard_enabled(network_guard):
+        return command
+    if not _RISKY_NETWORK_RE.search(command):
+        return command
+    ifaces = sorted(_extract_network_ifaces(command))
+    global_risk = _GLOBAL_NETWORK_RE.search(command) is not None or not ifaces
+    iface_words = " ".join(ifaces)
+    return f"""__sdev_cmd={shlex.quote(command)}
+__sdev_ifaces={shlex.quote(iface_words)}
+__sdev_global={1 if global_risk else 0}
+cd / || exit 125
+__sdev_block=
+__sdev_details=
+while read -r __sdev_spec __sdev_mp __sdev_fstype __sdev_rest; do
+    case "$__sdev_fstype" in
+        nfs|nfs4)
+            __sdev_server="${{__sdev_spec%%:*}}"
+            __sdev_route="$(ip route get "$__sdev_server" 2>/dev/null || true)"
+            __sdev_dev="$(printf '%s\\n' "$__sdev_route" | sed -n 's/.* dev \\([^ ]*\\).*/\\1/p' | head -n 1)"
+            [ -n "$__sdev_dev" ] || continue
+            __sdev_details="$__sdev_details ${{__sdev_spec}} via ${{__sdev_dev}};"
+            if [ "$__sdev_global" = 1 ]; then
+                __sdev_block="network command may disrupt NFS mount(s)"
+            else
+                case " $__sdev_ifaces " in
+                    *" $__sdev_dev "*) __sdev_block="target interface $__sdev_dev carries NFS" ;;
+                esac
+            fi
+            ;;
+    esac
+done < /proc/mounts
+if [ -n "$__sdev_block" ]; then
+    printf '%s refusing to run: %s. NFS route(s):%s Command: %s\\n' \\
+        {shlex.quote(NETWORK_GUARD_MARKER)} "$__sdev_block" "$__sdev_details" "$__sdev_cmd"
+    printf '%s\\n' 'Use network_guard=False or SDEV_NETWORK_GUARD=0 only if this network change is intentional.'
+    exit 125
+fi
+eval "$__sdev_cmd"
+"""
 # ---------------------------------------------------------------------------
 # SerialSession — explicit connection object (issue #3)
 # ---------------------------------------------------------------------------
@@ -459,6 +570,8 @@ class SerialSession:
         command: str,
         timeout: Optional[float] = None,
         end_flag: Optional[str] = None,
+        *,
+        network_guard: Optional[bool] = None,
     ) -> SerialResult:
         """Send *command* over serial and return its output.
@@ -468,13 +581,22 @@ class SerialSession:
         *end_flag*: a specific string to wait for instead of (or before) a
         shell prompt.  Useful for commands that keep running after producing
         their result (e.g. benchmarks that print "Frame rate: ...").
+        *network_guard*: when enabled (default), risky network mutations are
+        refused if they could disconnect a currently mounted NFS filesystem.
         """
         if not self._lock.acquire(timeout=10):
             raise RuntimeError(
                 "Serial port is busy — another command is in progress on this session."
             )
         try:
-            return self._cli_impl(command, timeout, end_flag)
+            guarded_command = _guard_network_command(command, network_guard)
+            return self._cli_impl(
+                guarded_command,
+                timeout,
+                end_flag,
+                display_command=command,
+            )
         finally:
             self._lock.release()
@@ -483,6 +605,7 @@ class SerialSession:
         command: str,
         timeout: Optional[float],
         end_flag: Optional[str],
+        display_command: Optional[str] = None,
     ) -> SerialResult:
         ser = self._ensure_open()
         deadline = timeout or DEFAULT_TIMEOUT
@@ -507,7 +630,7 @@ class SerialSession:
                 chunk = ser.read(4096)
             except serial.SerialException as exc:
                 return SerialResult(
-                    command=command,
+                    command=display_command or command,
                     output=f"[sdev] serial error: {exc}",
                     timed_out=True,
                     elapsed=round(time.monotonic() - start, 2),
@@ -532,7 +655,7 @@ class SerialSession:
         clean = _strip_echo(clean, command)
         clean = _strip_prompt_instance(clean, self._prompts)
         return SerialResult(
-            command=command,
+            command=display_command or command,
             output=clean.decode(errors="replace"),
             timed_out=timed_out,
             elapsed=round(elapsed, 2),
@@ -753,9 +876,11 @@ def cli(
     command: str,
     timeout: Optional[float] = None,
     end_flag: Optional[str] = None,
+    *,
+    network_guard: Optional[bool] = None,
 ) -> SerialResult:
     """Send *command* over the default connection and return output."""
-    return _default_session.cli(command, timeout, end_flag)
+    return _default_session.cli(command, timeout, end_flag, network_guard=network_guard)
 def run(

{sdev-1.0.1 → sdev-1.0.3}/sdev.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: sdev
-Version: 1.0.1
+Version: 1.0.3
 Summary: Small toolkit for automating a serial-attached Linux shell
 Author-email: klrc <1440698245@qq.com>
 License-Expression: MIT

{sdev-1.0.1 → sdev-1.0.3}/tests/test_adversarial_api_edge.py RENAMED Viewed

@@ -55,7 +55,7 @@ class TestModuleLevelAPIDelegation(unittest.TestCase):
         with patch.object(sdev, "_default_session") as mock_sess:
             mock_sess.cli.return_value = mock_result
             result = sdev.cli("echo hi")
-            mock_sess.cli.assert_called_once_with("echo hi", None, None)
+            mock_sess.cli.assert_called_once_with("echo hi", None, None, network_guard=None)
             self.assertEqual(result.output, "hi\n")
     def test_module_stream_delegates(self):

{sdev-1.0.1 → sdev-1.0.3}/tests/test_cli_integration.py RENAMED Viewed

@@ -324,7 +324,7 @@ class TestModuleLevelAPI(unittest.TestCase):
         with patch.object(sdev, "_default_session", mock_sess):
             result = sdev.cli("echo x", timeout=5)
-        mock_sess.cli.assert_called_once_with("echo x", 5, None)
+        mock_sess.cli.assert_called_once_with("echo x", 5, None, network_guard=None)
         self.assertEqual(result.output, "x\n")
     def test_module_cli_passes_end_flag(self):
@@ -336,7 +336,7 @@ class TestModuleLevelAPI(unittest.TestCase):
         with patch.object(sdev, "_default_session", mock_sess):
             sdev.cli("bench", end_flag="Frame rate:")
-        mock_sess.cli.assert_called_once_with("bench", None, "Frame rate:")
+        mock_sess.cli.assert_called_once_with("bench", None, "Frame rate:", network_guard=None)
     def test_module_connect_delegates(self):
         """sdev.connect() should call default session's connect()."""

{sdev-1.0.1 → sdev-1.0.3}/tests/test_sdev.py RENAMED Viewed

@@ -119,6 +119,62 @@ class TestSerialSession(unittest.TestCase):
         self.assertTrue(result.timed_out)
         self.assertGreater(result.elapsed, 0.15)
+    def test_cli_leaves_non_network_command_unwrapped(self):
+        mock_ser = MagicMock()
+        mock_ser.is_open = True
+        mock_ser.read.side_effect = [b"hello\n# ", b""]
+        sess = sdev.SerialSession()
+        sess._connection = mock_ser
+        result = sess.cli("echo hello")
+        self.assertEqual(result.command, "echo hello")
+        mock_ser.write.assert_called_once_with(b"echo hello\n")
+    def test_cli_wraps_risky_network_command(self):
+        mock_ser = MagicMock()
+        mock_ser.is_open = True
+        mock_ser.read.side_effect = [
+            (
+                b"[sdev network guard] refusing to run: target interface eth0 "
+                b"carries NFS. NFS route(s): 192.168.1.11:/nfs via eth0; "
+                b"Command: ifconfig eth0 down\n"
+                b"Use network_guard=False or SDEV_NETWORK_GUARD=0 only if this "
+                b"network change is intentional.\n# "
+            ),
+            b"",
+        ]
+        sess = sdev.SerialSession()
+        sess._connection = mock_ser
+        result = sess.cli("ifconfig eth0 down")
+        sent = mock_ser.write.call_args.args[0].decode()
+        self.assertEqual(result.command, "ifconfig eth0 down")
+        self.assertIn("cd / || exit 125", sent)
+        self.assertIn("/proc/mounts", sent)
+        self.assertIn("ip route get", sent)
+        self.assertIn("ifconfig eth0 down", sent)
+        self.assertIn("[sdev network guard] refusing to run", result.output)
+        self.assertIn("target interface eth0 carries NFS", result.output)
+    def test_cli_network_guard_can_be_disabled_per_call(self):
+        mock_ser = MagicMock()
+        mock_ser.is_open = True
+        mock_ser.read.side_effect = [b"ok\n# ", b""]
+        sess = sdev.SerialSession()
+        sess._connection = mock_ser
+        sess.cli("ifconfig eth0 down", network_guard=False)
+        mock_ser.write.assert_called_once_with(b"ifconfig eth0 down\n")
+    def test_variable_iface_network_command_is_guarded_globally(self):
+        command = 'for iface in eth0 eth1; do ifconfig $iface down; done'
+        wrapped = sdev._guard_network_command(command, network_guard=True)
+        self.assertIn("__sdev_global=1", wrapped)
+        self.assertIn("network command may disrupt NFS mount(s)", wrapped)
     def test_stream_yields_chunks(self):
         mock_ser = MagicMock()
         mock_ser.is_open = True