3.4 KiB
3.4 KiB
Code Review Issues
| # | Severity | File | Issue | Status |
|---|---|---|---|---|
| 1 | Critical | scripts/deploy.sh |
SCRIPT_DIR resolves to scripts/ but paths assume repo root (e.g. $SCRIPT_DIR/caddy/docker-compose.yml). All scripts broken after move to scripts/. Fix: use REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" |
DONE |
| 2 | Critical | scripts/backup.sh |
Same broken SCRIPT_DIR path issue |
DONE |
| 3 | Critical | scripts/restore.sh |
Same broken SCRIPT_DIR path issue |
DONE |
| 4 | High | scripts/backup.sh:20 |
pg_dumpall -U nextcloud hardcodes DB username instead of reading from env |
DONE |
| 5 | High | scripts/restore.sh:68 |
psql -U nextcloud hardcodes DB username instead of reading from env |
DONE |
| 6 | High | scripts/deploy.sh:13 |
source .env in a root-privileged script can execute arbitrary commands. Consider safer parsing or variable validation |
DONE |
| 7 | Medium | monitoring/docker-compose.yml |
Docker socket + /proc + /sys + / mounted into Alloy container. Consider using a Docker socket proxy to limit API access |
DONE |
| 8 | Medium | caddy/Caddyfile |
No rate limiting configured at the reverse proxy layer | DONE |
| 9 | Low | gitea/docker-compose.yml |
gitea/gitea:latest-rootless unpinned — pin to specific version like Nextcloud does |
TODO |
| 10 | Low | monitoring/docker-compose.yml |
grafana/alloy:latest unpinned — pin to specific version |
TODO |