Skip to content

Solution to the issue #1367 #1384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dsmandato wants to merge 3 commits into
base: main
Choose a base branch
from
+81 −24
Open

Solution to the issue #1367 #1384

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
14b0c51
Greek characters added for searching
dsmandato Mar 18, 2026
faf6e7b
You can search using Latin or Greek language
dsmandato Mar 18, 2026
50e66f5
Better coding for multi language support
dsmandato Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 62 additions & 24 deletions backend/internal/data/ent/item_predicates.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions docker-compose.yml.back
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
services:
homebox:
image: homebox
build:
context: .
dockerfile: ./Dockerfile
args:
- COMMIT=head
- BUILD_TIME=0001-01-01T00:00:00Z
Comment on lines +7 to +9
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Placeholder build metadata makes images untraceable.

The build arguments use placeholder values that defeat their purpose:

  • COMMIT=head is not a real commit SHA
  • BUILD_TIME=0001-01-01T00:00:00Z is a zero timestamp

These make it impossible to:

  • Trace which code version is running in the container
  • Debug issues by correlating container behavior with source code
  • Track when builds were created
🔧 Suggested fix

If this is for local development, dynamically inject real values:

       args:
-        - COMMIT=head
-        - BUILD_TIME=0001-01-01T00:00:00Z
+        - COMMIT=${GIT_COMMIT:-$(git rev-parse HEAD)}
+        - BUILD_TIME=${BUILD_TIME:-$(date -u +"%Y-%m-%dT%H:%M:%SZ")}

Or document that developers should override these at build time:

GIT_COMMIT=$(git rev-parse HEAD) BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") docker-compose build
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml.back` around lines 7 - 9, Replace the placeholder build
args COMMIT=head and BUILD_TIME=0001-01-01T00:00:00Z used in the docker-compose
build args with real, traceable values: change the build integration that sets
these args to inject the git commit SHA and an ISO UTC build timestamp at build
time (or make them empty defaults and require consumers to pass them). Update
the docker-compose build invocation documentation or CI pipeline to show how to
supply GIT_COMMIT=$(git rev-parse HEAD) and BUILD_TIME=$(date -u
+%Y-%m-%dT%H:%M:%SZ) when running docker-compose build so containers are
traceable.

x-bake:
platforms:
- linux/amd64
- linux/arm64
- linux/arm
environment:
- HBOX_DEBUG=true
- HBOX_LOGGER_LEVEL=-1
Comment on lines +15 to +17
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Security concern: Debug mode enabled.

The configuration enables debug mode (HBOX_DEBUG=true) and sets maximum verbosity logging (HBOX_LOGGER_LEVEL=-1). While appropriate for development, if this configuration is accidentally used in production:

Security risks:

  • Debug output may expose sensitive information (credentials, API keys, PII, internal paths)
  • Debug endpoints might bypass authentication/authorization checks
  • Verbose logging can expose detailed application internals to attackers

Operational risks:

  • Trace-level logging can rapidly fill disk space
  • Performance degradation from excessive logging I/O

Since the filename suggests this might be a backup/alternative configuration, clearly document this is development-only to prevent accidental production use.

📋 Recommendation

Add a comment at the top of the file:

+# DEVELOPMENT ONLY - DO NOT USE IN PRODUCTION
+# Debug mode and verbose logging enabled for local testing
 services:
   homebox:

Or use environment variable overrides that default to safe values:

     environment:
-      - HBOX_DEBUG=true
-      - HBOX_LOGGER_LEVEL=-1
+      - HBOX_DEBUG=${HBOX_DEBUG:-false}
+      - HBOX_LOGGER_LEVEL=${HBOX_LOGGER_LEVEL:-0}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
environment:
- HBOX_DEBUG=true
- HBOX_LOGGER_LEVEL=-1
environment:
- HBOX_DEBUG=${HBOX_DEBUG:-false}
- HBOX_LOGGER_LEVEL=${HBOX_LOGGER_LEVEL:-0}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml.back` around lines 15 - 17, This docker-compose snippet
exposes dangerous dev settings: HBOX_DEBUG=true and HBOX_LOGGER_LEVEL=-1; mark
this file clearly as development-only by adding a top-of-file comment stating
"DEVELOPMENT ONLY — do not use in production", and change the environment
defaults to safe values (e.g., HBOX_DEBUG=false and HBOX_LOGGER_LEVEL=info or a
numeric level >=0) or wrap them to be overridden by runtime env vars (keep
HBOX_DEBUG and HBOX_LOGGER_LEVEL as the referenced symbols) so production
deployments must explicitly opt in to debug/verbose logging.

ports:
- 3100:7745
Comment on lines +1 to +19
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Why is a backup file being added to version control?

The .back filename suffix suggests this is a backup copy of docker-compose.yml. Backup files typically shouldn't be committed to version control as they:

  • Create confusion about which file is authoritative
  • Clutter the repository
  • Can lead to accidentally using the wrong configuration

Consider:

  • If this is for testing/development, use a descriptive name like docker-compose.dev.yml or docker-compose.debug.yml
  • If it's truly a backup, exclude it from version control via .gitignore
  • If it's meant to replace the main compose file, rename it appropriately
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@docker-compose.yml.back` around lines 1 - 19, The committed file
docker-compose.yml.back appears to be a backup copy of your compose file; remove
it from version control (git rm --cached docker-compose.yml.back or delete and
commit) or rename it to a descriptive dev file (e.g., docker-compose.dev.yml)
and update any tooling that references it; if you intend to keep a backup
locally, add docker-compose.yml.back to .gitignore; ensure the canonical compose
file (serving the homebox service) remains named docker-compose.yml so
references to the homebox service and its ports/args remain correct.

Loading