Skip to content

Harden security, rewrite docs for public release#3

Open
blackaxgit wants to merge 1 commit intomainfrom
feat/readme-license-cleanup
Open

Harden security, rewrite docs for public release#3
blackaxgit wants to merge 1 commit intomainfrom
feat/readme-license-cleanup

Conversation

@blackaxgit
Copy link
Copy Markdown
Owner

@blackaxgit blackaxgit commented Mar 2, 2026

Summary

  • Harden application security — fix path traversal, streaming bug, add FFmpeg timeouts, input validation, error sanitization with correlation IDs
  • Harden infrastructure — Dockerfile non-root user + HEALTHCHECK, Helm NetworkPolicy, readOnlyRootFilesystem, automount disabled
  • Rewrite README with comprehensive API docs, error responses, configuration reference, accurate Helm values table, and n8n integration
  • Sanitize n8n workflow — replace real instance/webhook UUIDs with placeholder zeros
  • Add supplementary docs — CONTRIBUTING.md, .env.example, improved .gitignore

Security Fixes

Fix Severity File
Path traversal via output_prefix Critical app/main.py
AUTO streaming mode never activating Critical app/main.py
No FFmpeg subprocess timeout (DoS) Critical app/main.py
DoS via unbounded chunk_size_mb High app/main.py
FFmpeg stderr / exception leak to client Medium app/main.py
output_format not validated Medium app/main.py
Dockerfile runs as root Medium Dockerfile
ServiceAccount token auto-mounted High values.yaml
No NetworkPolicy High Helm templates
n8n instance IDs exposed Medium workflow JSON

Test plan

  • docker build -t audio-splitter:test . succeeds
  • docker run --rm audio-splitter:test id shows uid=1000(appuser)
  • curl POST /split with valid audio returns 200 with base64 chunks
  • curl POST /split -F output_prefix=../../etc/passwd sanitizes prefix
  • curl POST /split -F chunk_size_mb=0.01 returns 400 (below minimum)
  • curl POST /split -F output_format=exe -F same_as_input=false returns 400
  • Error responses contain correlation IDs, no internal paths or stderr
  • helm template renders NetworkPolicy, automount:false, readOnlyRootFilesystem:true
  • helm template --set networkPolicy.enabled=false excludes NetworkPolicy
  • No real UUIDs in n8n-test-flow/audio-splitter-workflow.json

🤖 Generated with Claude Code

@blackaxgit
feat(security): harden app, infra, and docs for public release
f0cdc66 
Security fixes in app/main.py:
- Sanitize output_prefix to prevent path traversal
- Fix AUTO streaming mode (was always buffering entire file)
- Add FFmpeg subprocess timeouts (FFMPEG_TIMEOUT_SECONDS=300)
- Add separate ffprobe timeout (FFPROBE_TIMEOUT_SECONDS=30)
- Validate chunk_size_mb range (0.1-500) and output_format
- Cap max chunks per request (MAX_CHUNKS=1000)
- Sanitize error messages with correlation IDs (no stderr leak)
- Consolidate temp dir cleanup into finally block
- Fix realpath symlink mismatch on macOS

Infrastructure hardening:
- Dockerfile: add non-root user (appuser:1000) and HEALTHCHECK
- Helm: automount:false, readOnlyRootFilesystem:true, /tmp emptyDir
- Helm: add NetworkPolicy (ingress 8000/TCP, egress 53/UDP)
- Remove dead STREAMING_THRESHOLD_MB from all files

Documentation:
- Rewrite README with API docs, error responses, config table, Helm
  values, and accurate n8n integration instructions
- Add CONTRIBUTING.md and .env.example
- Harden .gitignore with Helm/Docker override patterns
- Sanitize n8n workflow UUIDs to placeholder zeros
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@blackaxgit