Skip to content

fix: harden provider decode, CDN proxy, security and tests#4

Merged
phrontizo merged 2 commits into
mainfrom
codebase-review-fixes
Jun 4, 2026
Merged

fix: harden provider decode, CDN proxy, security and tests#4
phrontizo merged 2 commits into
mainfrom
codebase-review-fixes

Conversation

@phrontizo
Copy link
Copy Markdown
Owner

@phrontizo phrontizo commented Jun 4, 2026

Outcome of a full-codebase review-and-fix pass.

Real bugs fixed

  • TorBox mylist decode: tolerate size: -1 and files: null so one malformed entry no longer fails the whole library decode (caught by the live lifecycle test).
  • CDN proxy (dav_fs): reject a Range-ignoring 200 after a seek (was silently serving the wrong bytes) and an oversized whole-object 200 (was buffering the entire file into memory).
  • SEASON_RE: stop reading a pixel resolution (1920x1080) as a season number.
  • parse_rd_date: reject impossible days; NFO <premiered>: only for a valid 4-digit year.
  • delete_torrent: refuse a malformed id instead of deleting torrent 0.

Hardening / consistency

  • API tokens scrubbed from logs (.without_url()); TorBox resolve-cache size bound + 5xx retry; rate-limiter saturating_mul.
  • Clean config-error exits (TMDB_API_KEY, DB); TmdbClient::new -> Result (uniform with the other clients).
  • clean_name no longer empties a title that is a metadata word; is_short_title counts characters, not bytes.

Security

  • A dedicated review found secrets, path-traversal, injection, DoS bounds, deserialization and TLS all sound. The one finding — the unauthenticated WebDAV/CDN-proxy port published to 0.0.0.0 — is now bound to 127.0.0.1 with operator guidance.

Tests & docs

  • 161 → 179 unit tests; brittle include_str! source-string assertions replaced with behavioural tests (local-HTTP-server mocks, recording MockProvider, paused-clock concurrency) covering the repair-on-playback swap, CDN retry/invalidate, the repair non-cached branch, hash dedup, and rate-limiter serialisation.
  • README / CLAUDE / THIRD-PARTY-NOTICES brought in sync (added missing async-trait attribution, fixed stale tags, documented TorBox decode-robustness and the WebDAV auth caveat).

Verification

cargo test (179 unit), the RD integration_test/repair_integration_test and cross-provider lifecycle_test (RD and TorBox), clippy --all-targets -D warnings, and cargo fmt --check all pass locally.

🤖 Generated with Claude Code

phrontizo and others added 2 commits June 4, 2026 20:57
@phrontizo @claude
fix: harden provider decode, CDN proxy, security and tests
dd4e9de 
Outcome of a full-codebase review-and-fix pass.

Provider clients: tolerate TorBox mylist sending size:-1 / files:null so one bad entry no longer fails the whole library decode; scrub API tokens from logs (.without_url); bound the resolve cache and retry transient 5xx; refuse a malformed delete id instead of deleting torrent 0.

dav_fs CDN proxy: reject a Range-ignoring 200 after a seek (was silently serving wrong bytes) and an oversized whole-object 200 (was buffering the whole file into memory).

vfs: stop SEASON_RE reading a pixel resolution (1920x1080) as a season; validate parse_rd_date day-of-month and the NFO <premiered> year; sanitize folder names; fix find_deepest_new_dir descending past leaf files.

identification: count characters not bytes for short titles; preserve a title that is entirely a metadata word; compute each TMDB score once.

main: clean config-error exits for TMDB key and DB; TmdbClient::new returns Result like the other clients.

Security: bind the unauthenticated WebDAV/CDN-proxy port to 127.0.0.1.

Tests: 161 -> 179 unit; replaced brittle include_str source-string assertions with behavioural HTTP-mock, paused-clock concurrency, and repair-on-playback swap tests. Docs and THIRD-PARTY-NOTICES brought in sync.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@phrontizo @claude
ci: fix invalid secrets-in-if (resolve Docker Hub availability via st…
2334110 
…ep output)

The `if: ${{ secrets.DOCKERHUB_TOKEN != '' }}` guards made both workflow files invalid (the secrets context is not available in if conditions), so every run failed at 0s with a workflow-file error. Resolve the secret into a step output (secrets are allowed in env/run) and gate the Docker Hub login + tag computation on that output instead.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@phrontizo phrontizo merged commit 59781e7 into main Jun 4, 2026
6 checks passed
@phrontizo phrontizo deleted the codebase-review-fixes branch June 4, 2026 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phrontizo