v1.1.0 — Security & correctness review fixes
Security
- RealDebrid API key leak via logs — Torrentio resolve URLs embed the RD key in the path;
ContentStreamingServicelogged them verbatim. Now logs onlyimdb_id+filename. RealDebridService#with_retryinfinite loop —retryre-executed the method body, resettingretries=0on every network failure, hanging the calling thread forever on a persistent RD outage. Restructured with an explicit loop.- Orphaned HLS ffmpeg processes —
HlsSession.cleanup_expiredwas never scheduled. Added a recurring job (every 5 min);HlsSession.stopnow falls back to the persistedrecord.pidso the SolidQueue worker can kill orphaned ffmpeg from other Puma workers. - SSRF DNS-rebinding TOCTOU —
valid_stream_url?resolved the host and rejected private IPs, but ffmpeg re-resolved independently. Addedverify_stream_url!(re-resolve before spawn) + an outbound host allowlist (RealDebrid CDN + provider resolve origins only). force_ssl+assume_sslenabled in production (were commented out despite the app carrying session cookies + RD keys).- Content-Security-Policy enabled (initializer was fully commented out).
- Open redirect via
Referer—content/showlinked to rawrequest.referer. Replaced with internal route helpers.
Correctness
- Reject non-positive progress saves —
save_progressusedblank?, which is false for0. - Idempotent + transactional
move_to_library—create!raised 500 on duplicate; nowfind_or_create_by!inside a transaction.
Performance
- Cache + parallelize home page catalog calls — the 4 cinemeta calls were sequential and uncached; now cached (1h TTL) and run concurrently.
- Cache movie stream listings (60s TTL) in
ContentController.
Quality
- Reword the Active Record encryption comment (was misleading — nil is fail-closed).
- Set Devise
mailer_senderfromMAILER_FROMenv (was placeholder). - Add XSS invariant comment to
episode_pickerinnerHTML sink.
Tests: 248 examples, 0 failures.