Felix Förtsch
be6593094e
All checks were successful
Build and Push Docker Image / build (push) Successful in 2m45s
Client changes paired with the earlier /groups endpoint: - Types: drop review[]/reviewTotal from PipelineData, add ReviewGroup and ReviewGroupsResponse. - PipelinePage: parallel-fetch /pipeline and /groups?offset=0&limit=25. - ReviewColumn: IntersectionObserver on a sentinel div fetches the next page when it scrolls into view. No more "Showing first N of M" banner — the column loads lazily until hasMore is false. - SeriesCard: when a series has pending work in >1 season, render collapsible season sub-groups each with an "Approve season" button wired to POST /season/:key/:season/approve-all. Rename the series button from "Approve all" to "Approve series" for clarity. v2026.04.15.3 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.2 KiB
3.2 KiB
Security & Reliability Audit (2026-04-15)
Scope
Reviewed server and client codepaths with focus on:
- exposed attack surface
- secret handling
- destructive endpoints
- job execution safety
- input validation consistency
Findings (Highest Severity First)
1. Critical: Real service credentials are committed in the repository
- Evidence:
.env.development:6(JELLYFIN_API_KEY=...).env.development:10(RADARR_API_KEY=...).env.development:15(SONARR_API_KEY=...)
- Impact:
- Anyone with repository access can use these keys against the referenced services.
- Secrets are now considered compromised and must be rotated.
- Fix:
- Rotate all exposed API keys immediately.
- Remove
.env.developmentfrom Git history or sanitize it. - Keep only
.env.examplein version control.
2. High: No authentication/authorization on privileged API routes
- Evidence:
server/index.tsx:37toserver/index.tsx:43mounts all admin routes without auth middleware.- Destructive/control endpoints are publicly callable by any client that can reach port 3000, e.g.:
server/api/settings.ts:204(POST /api/settings/reset)server/api/settings.ts:183(POST /api/settings/clear-scan)server/api/execute.ts:150(POST /api/execute/start)server/api/execute.ts:209(POST /api/execute/stop)
- Impact:
- Unauthorized users can start/stop jobs, wipe state, and alter processing behavior.
- In containerized deployments with published ports, this is remotely exploitable on the network.
- Fix:
- Add auth middleware at
/api/*(at minimum: token-based admin auth). - Gate destructive routes with explicit admin authorization checks.
- Add auth middleware at
3. High: Settings endpoint leaks secrets in cleartext
- Evidence:
server/api/settings.ts:11toserver/api/settings.ts:15returnsgetAllConfig()directly.getAllConfig()includes API keys and passwords from DB/env viaserver/db/index.ts:123toserver/db/index.ts:134.
- Impact:
- Any caller with API access can retrieve Jellyfin/Radarr/Sonarr API keys and MQTT password.
- Fix:
- Redact secrets in responses (e.g.
***with optional last-4 chars). - Add a separate write-only secret update flow.
- Redact secrets in responses (e.g.
4. Medium: Inconsistent route ID validation in execute API
- Evidence:
server/lib/validate.ts:8provides strict numericparseId.server/api/execute.ts:142defines a looser local parser usingNumber.parseInt.
- Impact:
- Values like
"12abc"are accepted as ID12on execute routes, which can target unintended jobs.
- Values like
- Fix:
- Reuse
server/lib/validate.tsparseIdinserver/api/execute.ts. - Add route tests for mixed alphanumeric IDs (
"42abc","+1", etc.).
- Reuse
Testing & Verification Gaps
- Could not run
bun test/bun lintin this environment becausebunis not installed. - Existing tests cover some parser behavior in
server/lib/__tests__/validate.test.ts, but execute-route param parsing has no dedicated regression test.
Recommended Remediation Order
- Rotate leaked credentials and sanitize repository history.
- Introduce API authentication and enforce it on all
/api/*routes. - Redact secret fields from settings responses.
- Replace execute-local
parseIdwith shared strict validator and add tests.