Skip to content

fix: address clawpatch security and reliability findings#6941

Merged
WithoutPants merged 12 commits into
stashapp:developfrom
slick-daddy:clawpatch-report
Jun 26, 2026
Merged

fix: address clawpatch security and reliability findings#6941
WithoutPants merged 12 commits into
stashapp:developfrom
slick-daddy:clawpatch-report

Conversation

@slick-daddy

@slick-daddy slick-daddy commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes several confirmed bugs and risk findings reported by clawpatch across the phasher CLI, stash CLI, and Makefile.

Changes

cmd/phasher/main.go

  • Return a clear error from getPaths when ffmpeg or ffprobe is not found in PATH, instead of silently passing empty strings downstream
  • Guard against empty file extension in printPhash to prevent a runtime panic on files without an extension (e.g. Makefile, README)
  • Exit with a non-zero code when any file fails during batch processing

cmd/stash/main.go

  • initProfiling now returns (*os.File, error) so the caller can close the file descriptor after pprof.StopCPUProfile; previously the fd was leaked for the entire process lifetime

internal/api/models.go

  • convertBaseFile now returns (BaseFile, error) instead of panicking on unknown file types, matching the pattern used by convertVisualFile
  • convertBaseFiles updated accordingly

Makefile

  • Fixed install target: introduced STASH_BINARY to track the actual binary name separately from the -o flag, preventing broken installs on both Unix and Windows
  • Added generate-backend as an explicit dependency of build-release to prevent race conditions under make -j

cmd/stash/main_test.go

  • Replaced empty TestStub with real tests for exitError, recoverPanic, and initLogTemp

WithoutPants
WithoutPants requested changes Jun 11, 2026
View reviewed changes
Comment thread cmd/stash/main.go
Comment thread internal/api/models.go Outdated
Comment thread Makefile Outdated
@slick-daddy
fix: address PR review comments from WithoutPants
b3a39a7 
- Swap defer order in main.go so f.Close() runs after pprof.StopCPUProfile()
- Revert convertBaseFile/convertBaseFiles to use panic on unknown type
  (programming error, not runtime error)
- Remove redundant generate-backend dependency from build-release
  (already fixed by stashapp#6990)
@slick-daddy slick-daddy requested a review from WithoutPants June 11, 2026 10:26
WithoutPants
WithoutPants requested changes Jun 25, 2026
View reviewed changes
Comment thread internal/api/models.go Outdated
@WithoutPants WithoutPants added the chore Tedious admin work or code refactoring label Jun 25, 2026
@WithoutPants WithoutPants added this to the Version 0.32.0 milestone Jun 25, 2026
@slick-daddy slick-daddy requested a review from WithoutPants June 25, 2026 12:05
@WithoutPants WithoutPants merged commit 1a97843 into stashapp:develop Jun 26, 2026
11 checks passed
@slick-daddy slick-daddy deleted the clawpatch-report branch June 26, 2026 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WithoutPants WithoutPants WithoutPants approved these changes

Assignees

No one assigned

Labels

chore Tedious admin work or code refactoring

Projects

None yet

Milestone

Version 0.32.0

Development

Successfully merging this pull request may close these issues.

2 participants

@slick-daddy @WithoutPants