Skip to content

fix: security hardening, memory leak, file cleanup, and UX improvements#3

Open
salmanrajz wants to merge 2 commits into
averygan:mainfrom
salmanrajz:fix-audit-improvements
Open

fix: security hardening, memory leak, file cleanup, and UX improvements#3
salmanrajz wants to merge 2 commits into
averygan:mainfrom
salmanrajz:fix-audit-improvements

Conversation

@salmanrajz
Copy link
Copy Markdown

@salmanrajz salmanrajz commented Mar 31, 2026

Security:

  • Add URL validation (http/https only) on all endpoints
  • Add format_id sanitization to prevent yt-dlp flag injection
  • Add job_id format validation (hex, 10 chars)
  • Add path traversal protection on file serving endpoint
  • Add non-root user in Dockerfile
  • Mask internal errors from API responses
  • Add .env and .vscode/ to .gitignore

Stability:

  • Add threading lock for jobs dict (race condition fix)
  • Add job TTL auto-purge (1hr) to prevent memory exhaustion
  • Add MAX_JOBS cap (500) with 503 response when full
  • Add JSON parse error handling in /api/info
  • Add explicit debug=False on Flask entry point

File management:

  • Add /api/cleanup endpoint for client-triggered file removal
  • Frontend calls cleanup 5s after save to free disk space
  • Pin dependency versions in requirements.txt

UX/Frontend:

  • Fix dlAll() to properly await each download via Promise-based polling
  • Add ARIA labels on interactive elements
  • Improve title sanitization (80 char limit, control char removal, no hidden files)

DevEx:

  • Add structured logging throughout backend
  • Add type hints on all functions
  • reclip.sh now always runs pip install on venv reuse
  • reclip.sh adds exit trap for clean shutdown message

@salmanrajz
fix: security hardening, memory leak, file cleanup, and UX improvements
192ab88 
Security:
- Add URL validation (http/https only) on all endpoints
- Add format_id sanitization to prevent yt-dlp flag injection
- Add job_id format validation (hex, 10 chars)
- Add path traversal protection on file serving endpoint
- Add non-root user in Dockerfile
- Mask internal errors from API responses
- Add .env and .vscode/ to .gitignore

Stability:
- Add threading lock for jobs dict (race condition fix)
- Add job TTL auto-purge (1hr) to prevent memory exhaustion
- Add MAX_JOBS cap (500) with 503 response when full
- Add JSON parse error handling in /api/info
- Add explicit debug=False on Flask entry point

File management:
- Add /api/cleanup endpoint for client-triggered file removal
- Frontend calls cleanup 5s after save to free disk space
- Pin dependency versions in requirements.txt

UX/Frontend:
- Fix dlAll() to properly await each download via Promise-based polling
- Add ARIA labels on interactive elements
- Improve title sanitization (80 char limit, control char removal, no hidden files)

DevEx:
- Add structured logging throughout backend
- Add type hints on all functions
- reclip.sh now always runs pip install on venv reuse
- reclip.sh adds exit trap for clean shutdown message
@salmanrajz
chore: broaden assets gitignore to cover mp4/mkv/webm
a00ed70
nandanosql referenced this pull request in nandanosql/reclip Apr 7, 2026
@nandanosql
feat: add parallel batch download API with concurrent workers
263a043 
- Add POST /api/batch/download endpoint accepting multiple URLs
- Add GET /api/batch/status/<batch_id> for batch progress tracking
- Use ThreadPoolExecutor with 3 concurrent workers for parallel downloads
- Limit batch to 20 URLs per request
- Update frontend 'Download All' to use batch API instead of sequential
- Fallback to sequential download if batch API fails
- Batch status shows done/errors/pending counts

Fixes #3
@nandanosql nandanosql mentioned this pull request Apr 7, 2026
Open
DeBondor added a commit to DeBondor/reclip that referenced this pull request Apr 11, 2026
@DeBondor
feat: merge PR averygan#24 (yt-dlp fix) + PR averygan#3 (security har…
6117505 
…dening, memory leak, UX)

- Pin yt-dlp>=2026.3.17 to fix YouTube SABR 403 errors (fixes averygan#8)
- Add --upgrade-deps to reclip.sh venv setup
- Add URL validation (http/https only)
- Add format_id sanitization against yt-dlp flag injection
- Add job_id format validation
- Add path traversal protection on file serving
- Add non-root user in Dockerfile
- Add threading lock for jobs dict (race condition fix)
- Add job TTL auto-purge (1hr) + MAX_JOBS cap (500)
- Add /api/cleanup endpoint + frontend cleanup call after download
- Add structured logging + type hints
- Fix dlAll() to await each download via Promise-based polling
- Add ARIA labels on interactive elements
- Improve title sanitization (80 char limit)
- reclip.sh: always run pip install on venv reuse
- reclip.sh: add EXIT trap for clean shutdown message
Auzlex added a commit to Auzlex/reclip that referenced this pull request Apr 29, 2026
@Auzlex
feat: integrate upstream PRs averygan#3, averygan#12, averygan#13, av…
2933d26 
…erygan#24 (security, stability, and progress tracking)

- PR averygan#24: Fixed YouTube 403 Forbidden errors by pinning yt-dlp>=2026.3.17.
- PR averygan#3: Implemented security hardening (URL validation, format/job ID sanitization, path traversal protection, and non-root Docker user).
- PR averygan#12: Added automatic disk management (1-hour job TTL, 500MB directory size cap, and auto-purge).
- PR averygan#13: Enhanced download experience with real-time progress tracking, 30-minute timeouts, and UI progress bars.
- Backend: Unified app.py with threading locks, structured logging, and configurable cleanup settings via environment variables.
- Environment: Updated Dockerfile and reclip.sh for better dependency management and unprivileged execution.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@salmanrajz