fix: harden security, eliminate panics, remove dead code, add Dockerfile

Security: - Use constant-time password comparison (subtle crate) to prevent timing attacks - Replace permissive CORS with configurable origin-restricted CORS - Add TLS warning when password auth is used without HTTPS Bug fixes: - Convert MetaPlugin panics to anyhow::Result (get_meta_plugin, outputs_mut, options_mut) - Replace item.id.unwrap() with proper error handling across 15 call sites - Fix panic on unknown column type in list mode - Fix conflicting PIPESIZE constant (was 8192 vs 65536, now unified to 8192) - Add 256MB filter chain buffer limit to prevent OOM - Gracefully skip unregistered plugins instead of panicking Dead code removal: - Delete unused filter parser files (filter_parser.rs, filter.pest, parser/ module) - ~260 lines of dead PEG parser code removed Code consolidation: - Add is_content_binary_from_metadata() helper (was duplicated in 4 places) - Simplify save_item_raw() to delegate to save_item_raw_streaming() (~90 lines removed) Incomplete features: - Populate filter_plugins in status output from global registry - Add FallbackMagicFileMetaPlugin (was referenced but never implemented) - Document init_plugins() as intentional no-op Infrastructure: - Add Dockerfile (static musl binary on scratch, 4.8MB) - Add .dockerignore - Add cors_origin to ServerConfig and config.rs
2026-03-13 07:57:36 -03:00
parent bee980605f
commit b166477202
43 changed files with 561 additions and 687 deletions
--- a/src/services/meta_service.rs
+++ b/src/services/meta_service.rs
@@ -21,7 +21,7 @@ impl MetaService {
        // Create plugins with their configuration
        let meta_plugins: Vec<Box<dyn MetaPlugin>> = meta_plugin_types
            .iter()
-            .map(|meta_plugin_type| {
+            .filter_map(|meta_plugin_type| {
                debug!("META_SERVICE: Creating plugin: {meta_plugin_type:?}");

                // Get the plugin name using strum's Display implementation
@@ -52,7 +52,13 @@ impl MetaService {
                    (None, None)
                };

-                crate::meta_plugin::get_meta_plugin(meta_plugin_type.clone(), options, outputs)
+                match crate::meta_plugin::get_meta_plugin(meta_plugin_type.clone(), options, outputs) {
+                    Ok(plugin) => Some(plugin),
+                    Err(e) => {
+                        log::warn!("META_SERVICE: Failed to create plugin {meta_plugin_type:?}: {e}, skipping");
+                        None
+                    }
+                }
            })
            .collect();