Skip to content

feat: enforce proxy dial timeouts and improve timeout handling #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 10, 2025
Merged

feat: enforce proxy dial timeouts and improve timeout handling #98

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b49ada1
feat: add timeout handling and error detection for proxy connections
appleboy Oct 10, 2025
4423e56
fix: prevent goroutine leaks on proxy connections
appleboy Oct 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 38 additions & 1 deletion easyssh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@ var (
defaultBufferSize = 4096
)

var (
// ErrProxyDialTimeout is returned when proxy dial connection times out
ErrProxyDialTimeout = errors.New("proxy dial timeout")
)

type Protocol string

const (
Expand Down Expand Up @@ -253,7 +258,35 @@ func (ssh_conf *MakeConfig) Connect() (*ssh.Session, *ssh.Client, error) {
return nil, nil, err
}

conn, err := proxyClient.Dial(string(ssh_conf.Protocol), net.JoinHostPort(ssh_conf.Server, ssh_conf.Port))
// Apply timeout to the connection from proxy to target server
timeout := ssh_conf.Timeout
if timeout == 0 {
timeout = defaultTimeout
}

ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()

type connResult struct {
conn net.Conn
err error
}

connCh := make(chan connResult, 1)
go func() {
conn, err := proxyClient.Dial(string(ssh_conf.Protocol), net.JoinHostPort(ssh_conf.Server, ssh_conf.Port))
connCh <- connResult{conn: conn, err: err}
}()
Comment on lines 276 to 287
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This goroutine may leak if the proxyClient.Dial call blocks indefinitely. When the select statement in the parent goroutine times out via ctx.Done(), this goroutine is not terminated and will continue running until proxyClient.Dial returns. If proxyClient.Dial never returns, the goroutine and its associated resources will be leaked.

While the underlying ssh library doesn't seem to provide a context-aware Dial method on the client, it's important to be aware of this potential resource leak.


var conn net.Conn
select {
case result := <-connCh:
conn = result.conn
err = result.err
case <-ctx.Done():
return nil, nil, fmt.Errorf("%w: %v", ErrProxyDialTimeout, ctx.Err())
}

if err != nil {
return nil, nil, err
}
Expand Down Expand Up @@ -413,6 +446,10 @@ func (ssh_conf *MakeConfig) Stream(command string, timeout ...time.Duration) (<-
func (ssh_conf *MakeConfig) Run(command string, timeout ...time.Duration) (outStr string, errStr string, isTimeout bool, err error) {
stdoutChan, stderrChan, doneChan, errChan, err := ssh_conf.Stream(command, timeout...)
if err != nil {
// Check if the error is from a proxy dial timeout
if errors.Is(err, ErrProxyDialTimeout) {
isTimeout = true
}
return outStr, errStr, isTimeout, err
}
// read from the output channel until the done signal is passed
Expand Down
115 changes: 115 additions & 0 deletions easyssh_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package easyssh

import (
"context"
"errors"
"os"
"os/user"
"path"
Expand Down Expand Up @@ -512,3 +513,117 @@ func TestCommandTimeout(t *testing.T) {
assert.NotNil(t, err)
assert.Equal(t, "Run Command Timeout: "+context.DeadlineExceeded.Error(), err.Error())
}

// TestProxyTimeoutHandling tests that timeout is properly respected when using proxy connections
// This test uses a non-existent proxy server to force a timeout during proxy connection
func TestProxyTimeoutHandling(t *testing.T) {
ssh := &MakeConfig{
Server: "example.com",
User: "testuser",
Port: "22",
KeyPath: "./tests/.ssh/id_rsa",
Timeout: 1 * time.Second, // Short timeout for testing
Proxy: DefaultConfig{
User: "testuser",
Server: "10.255.255.1", // Non-routable IP that should timeout
Port: "22",
KeyPath: "./tests/.ssh/id_rsa",
Timeout: 1 * time.Second,
},
}

// Test Connect() method directly to test proxy connection timeout
start := time.Now()
session, client, err := ssh.Connect()
elapsed := time.Since(start)

// Should timeout within reasonable bounds
assert.True(t, elapsed < 3*time.Second, "Connection should timeout within 3 seconds, took %v", elapsed)
assert.True(t, elapsed >= 1*time.Second, "Connection should take at least 1 second (timeout value), took %v", elapsed)

// Should return nil session and client
assert.Nil(t, session)
assert.Nil(t, client)

// Should have error
assert.NotNil(t, err)
}
Comment on lines +520 to +551
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This is a good test for proxy connection timeouts. To make it more specific, you could also assert on the content of the error message to ensure it's a timeout error as expected. For example:

assert.ErrorContains(t, err, "i/o timeout")

This would make the test more robust by verifying not just that an error occurred, but that the correct error occurred.


// TestProxyDialTimeout tests the specific scenario described in issue #93
// where proxy dial timeout should be respected and properly detected
func TestProxyDialTimeout(t *testing.T) {
ssh := &MakeConfig{
Server: "10.255.255.1", // Non-routable IP that should timeout
User: "testuser",
Port: "22",
KeyPath: "./tests/.ssh/id_rsa",
Timeout: 2 * time.Second, // Short timeout for testing
Proxy: DefaultConfig{
User: "testuser",
Server: "10.255.255.2", // Another non-routable IP for proxy
Port: "22",
KeyPath: "./tests/.ssh/id_rsa",
Timeout: 2 * time.Second,
},
}

// Test Connect() method directly to avoid SSH server dependency
start := time.Now()
session, client, err := ssh.Connect()
elapsed := time.Since(start)

// Should timeout within reasonable bounds
assert.True(t, elapsed < 5*time.Second, "Connection should timeout within 5 seconds, took %v", elapsed)
assert.True(t, elapsed >= 2*time.Second, "Connection should take at least 2 seconds (timeout value), took %v", elapsed)

// Should return nil session and client
assert.Nil(t, session)
assert.Nil(t, client)

// Should have error
assert.NotNil(t, err)
// Note: This will timeout at the proxy connection level, not at proxy dial level
// so it won't be ErrProxyDialTimeout, but we can still verify the timeout behavior
}
Comment on lines +553 to +588
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Test does not verify what its name suggests.

The test name TestProxyDialTimeout implies it validates proxy dial timeout behavior, but the comment at lines 585-586 explicitly states "This will timeout at the proxy connection level, not at proxy dial level, so it won't be ErrProxyDialTimeout". This creates confusion about what scenario is actually being tested.

Consider one of the following:

  1. Rename the test to accurately reflect what it validates (e.g., TestProxyConnectionTimeout)
  2. Or modify the test setup to actually trigger ErrProxyDialTimeout by ensuring the proxy connects successfully but fails to dial the target with the configured timeout

Apply this diff for option 1 (renaming):

-// TestProxyDialTimeout tests the specific scenario described in issue #93
-// where proxy dial timeout should be respected and properly detected
-func TestProxyDialTimeout(t *testing.T) {
+// TestProxyConnectionTimeout tests timeout behavior when connecting to proxy
+// This tests proxy connection timeout, not proxy dial timeout
+func TestProxyConnectionTimeout(t *testing.T) {

Or for option 2, modify the test to use a working proxy but non-routable target:

 	ssh := &MakeConfig{
 		Server:  "10.255.255.1", // Non-routable IP that should timeout
 		User:    "testuser",
 		Port:    "22",
 		KeyPath: "./tests/.ssh/id_rsa",
 		Timeout: 2 * time.Second, // Short timeout for testing
 		Proxy: DefaultConfig{
 			User:    "testuser",
-			Server:  "10.255.255.2", // Another non-routable IP for proxy
+			Server:  "localhost", // Use working proxy
 			Port:    "22",
 			KeyPath: "./tests/.ssh/id_rsa",
 			Timeout: 2 * time.Second,
 		},
 	}

Then update the comment and add an assertion for ErrProxyDialTimeout:

-	// Should have error
 	assert.NotNil(t, err)
-	// Note: This will timeout at the proxy connection level, not at proxy dial level
-	// so it won't be ErrProxyDialTimeout, but we can still verify the timeout behavior
+	// Should specifically be a proxy dial timeout
+	assert.ErrorIs(t, err, ErrProxyDialTimeout)


// TestProxyDialTimeoutInRun tests timeout detection in Run method
func TestProxyDialTimeoutInRun(t *testing.T) {
ssh := &MakeConfig{
Server: "example.com",
User: "testuser",
Port: "22",
KeyPath: "./tests/.ssh/id_rsa",
Timeout: 2 * time.Second,
Proxy: DefaultConfig{
User: "testuser",
Server: "127.0.0.1", // Assume localhost SSH exists
Port: "22",
KeyPath: "./tests/.ssh/id_rsa",
Timeout: 2 * time.Second,
},
}

// Mock a scenario where Connect() returns ErrProxyDialTimeout
// by temporarily changing the target to a non-routable address
ssh.Server = "10.255.255.1"

start := time.Now()
outStr, errStr, isTimeout, err := ssh.Run("whoami")
elapsed := time.Since(start)

// Should timeout within reasonable bounds
assert.True(t, elapsed < 5*time.Second, "Should timeout within 5 seconds, took %v", elapsed)

// Should return empty output
assert.Equal(t, "", outStr)
assert.Equal(t, "", errStr)

// Should have error
assert.NotNil(t, err)

// If it's specifically a proxy dial timeout, isTimeout should be true
if errors.Is(err, ErrProxyDialTimeout) {
assert.True(t, isTimeout, "isTimeout should be true for proxy dial timeout")
}
}

Loading