bc1bb/claude-code-audit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

No timeout on claude invocations — audit can hang indefinitely #6

New issue
Closed
opened 2026-05-14 21:32:41 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:32:41 +02:00
Collaborator
Copy link

Problem

The run_audit function invokes the claude CLI without any timeout. There is no timeout wrapper, no CLAUDE_API_TIMEOUT, and no watchdog mechanism.

Location

audit.sh, lines 254–258 (Forgejo mode) and lines 270–274 (non-Forgejo mode):

echo "..." | claude $mode_args \
    --model "$CLAUDE_MODEL" \
    $CLAUDE_EXTRA_ARGS \
    --permission-mode dontAsk ... \
    2>&1 | format_stream | tee "$LOG_DIR/${log_suffix}.log"

Risk

If the Claude API becomes unreachable, returns a persistent error, or the session enters an infinite tool-call loop (e.g., due to a prompt injection causing repeated retries), the script hangs indefinitely. Because the outer loop calls run_audit synchronously, a single stuck invocation blocks all subsequent audits. In a cron-scheduled context this causes the next run to overlap with the stuck one, potentially leading to multiple hung processes consuming resources and exhausting API quota.

Suggested fix direction

Wrap the claude invocation with timeout <seconds> (e.g., timeout 1800 claude ...). Log a warning and call save_state with the pre-audit SHA when the timeout fires, so the repo is re-audited on the next run rather than silently skipped. The --max-turns flag (used with --opus) partially mitigates this but does not bound wall-clock time.

Severity

minor

Found by

Automated audit by Claude Code

## Problem The `run_audit` function invokes the `claude` CLI without any timeout. There is no `timeout` wrapper, no `CLAUDE_API_TIMEOUT`, and no watchdog mechanism. ## Location `audit.sh`, lines 254–258 (Forgejo mode) and lines 270–274 (non-Forgejo mode): ```bash echo "..." | claude $mode_args \ --model "$CLAUDE_MODEL" \ $CLAUDE_EXTRA_ARGS \ --permission-mode dontAsk ... \ 2>&1 | format_stream | tee "$LOG_DIR/${log_suffix}.log" ``` ## Risk If the Claude API becomes unreachable, returns a persistent error, or the session enters an infinite tool-call loop (e.g., due to a prompt injection causing repeated retries), the script hangs indefinitely. Because the outer loop calls `run_audit` synchronously, a single stuck invocation blocks all subsequent audits. In a cron-scheduled context this causes the next run to overlap with the stuck one, potentially leading to multiple hung processes consuming resources and exhausting API quota. ## Suggested fix direction Wrap the `claude` invocation with `timeout <seconds>` (e.g., `timeout 1800 claude ...`). Log a warning and call `save_state` with the pre-audit SHA when the timeout fires, so the repo is re-audited on the next run rather than silently skipped. The `--max-turns` flag (used with `--opus`) partially mitigates this but does not bound wall-clock time. ## Severity minor ## Found by Automated audit by Claude Code
bc1bb referenced this issue from a commit 2026-05-15 01:17:23 +02:00
closes #6
bc1bb closed this issue 2026-05-15 01:17:23 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix/state-file-race
fix/token-env-leak-v2
fix/token-env-leak
No results found.
Labels
Clear labels   
shellcheck
Reported by shellcheck CI

No labels
shellcheck
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/claude-code-audit#6
No description provided.