fix: harden security, eliminate panics, remove dead code, add Dockerfile

Security: - Use constant-time password comparison (subtle crate) to prevent timing attacks - Replace permissive CORS with configurable origin-restricted CORS - Add TLS warning when password auth is used without HTTPS Bug fixes: - Convert MetaPlugin panics to anyhow::Result (get_meta_plugin, outputs_mut, options_mut) - Replace item.id.unwrap() with proper error handling across 15 call sites - Fix panic on unknown column type in list mode - Fix conflicting PIPESIZE constant (was 8192 vs 65536, now unified to 8192) - Add 256MB filter chain buffer limit to prevent OOM - Gracefully skip unregistered plugins instead of panicking Dead code removal: - Delete unused filter parser files (filter_parser.rs, filter.pest, parser/ module) - ~260 lines of dead PEG parser code removed Code consolidation: - Add is_content_binary_from_metadata() helper (was duplicated in 4 places) - Simplify save_item_raw() to delegate to save_item_raw_streaming() (~90 lines removed) Incomplete features: - Populate filter_plugins in status output from global registry - Add FallbackMagicFileMetaPlugin (was referenced but never implemented) - Document init_plugins() as intentional no-op Infrastructure: - Add Dockerfile (static musl binary on scratch, 4.8MB) - Add .dockerignore - Add cors_origin to ServerConfig and config.rs
2026-03-13 07:57:36 -03:00
parent bee980605f
commit b166477202
43 changed files with 561 additions and 687 deletions
--- a/src/modes/info.rs
+++ b/src/modes/info.rs
@@ -1,7 +1,7 @@
 use crate::config;
 use crate::modes::common::{OutputFormat, format_size};
 use crate::services::types::ItemWithMeta;
-use anyhow::{Result, anyhow};
+use anyhow::{Context, Result, anyhow};
 use clap::Command;
 use clap::error::ErrorKind;
 use serde::{Deserialize, Serialize};
@@ -141,7 +141,7 @@ fn show_item(
    }

    let item = item_with_meta.item;
-    let item_id = item.id.unwrap();
+    let item_id = item.id.context("Item missing ID")?;
    let item_tags: Vec<String> = item_with_meta.tags.iter().map(|t| t.name.clone()).collect();

    let mut table = crate::modes::common::create_table(false);
@@ -249,7 +249,7 @@ fn show_item_structured(
    let item_tags: Vec<String> = item_with_meta.tags.iter().map(|t| t.name.clone()).collect();
    let meta_map = item_with_meta.meta_as_map();
    let item = item_with_meta.item;
-    let item_id = item.id.unwrap();
+    let item_id = item.id.context("Item missing ID")?;

    let mut item_path_buf = data_path.clone();
    item_path_buf.push(item_id.to_string());