Skip to content

Security: Classify S5332 HTTP hotspots and document internal Docker networking boundary#284

Merged
NickLetts2 merged 4 commits into
mainfrom
copilot/classify-docker-http-urls
May 15, 2026
Merged

Security: Classify S5332 HTTP hotspots and document internal Docker networking boundary#284
NickLetts2 merged 4 commits into
mainfrom
copilot/classify-docker-http-urls

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 15, 2026
edited
Loading

SonarCloud flags many http:// URLs under python:S5332 / typescript:S5332. Most are internal Docker service addresses or test-only localhost URLs that are safe given Curvit's single-host architecture with TLS terminated at Traefik.

Documentation

New file: docs/security/internal-networking.md

  • Diagrams the TLS boundary (Traefik terminates public TLS; internal services communicate via plain HTTP on the private Docker network)
  • Classifies all hotspot categories: internal Docker URLs, test-only URLs, E2E loopback URLs, XML/JSON Schema namespace identifiers
  • Confirms internal service ports are not published externally
  • Notes future obligation to revisit if topology moves to multi-host

NOSONAR annotations

Inline // NOSONAR: S5332 / # NOSONAR: S5332 comments added on the exact flagged lines with brief justifications. Categories covered:

Internal Docker service URLs — server-side only, never browser-facing:

// apps/app-frontend/src/lib/api/internal-auth.ts
const getInternalApiBaseUrl = () =>
  process.env.INTERNAL_API_URL || process.env.CORE_API_URL || 'http://core-api:5000'; // NOSONAR: S5332 - Internal Docker URL; server-side only.
# workers/analysis-worker/app/config.py
core_api_base_url: str = "http://core-api:5000"  # NOSONAR: S5332

E2E test loopback URLs — guarded by PLAYWRIGHT_E2E=1 / isPlaywrightE2EEnabled(), never reached in production:

return `http://127.0.0.1:41017/settings?checkout=success&tier=${tier}`; // NOSONAR: S5332 - E2E test-only URL; guarded by isPlaywrightE2EEnabled().

Test-only mock settings — no real network connections made:

mock_settings.sanitiser_service_url = "http://content-sanitiser:8000"  # NOSONAR: S5332 - test-only mock value

XML/JSON Schema namespace identifiers — static identifiers for XML parsers, not network requests:

namespace = "http://schemas.openxmlformats.org/wordprocessingml/2006/main"  # NOSONAR: S5332 - XML namespace identifier, not a network request.

httpx test transport — standard httpx test convention; ASGITransport never makes real connections:

async with httpx.AsyncClient(transport=transport, base_url="http://test") as test_client:  # NOSONAR: S5332 - standard httpx test transport placeholder

Files annotated span: apps/app-frontend/src/, apps/marketing-site/src/, workers/analysis-worker/app/, services/*/app/, shared/, and their respective test suites.

Copilot AI linked an issue May 15, 2026 that may be closed by this pull request
Security Hotspots: Classify internal Docker HTTP URLs and document safe usage #274
Closed
7 tasks
Copilot AI and others added 3 commits May 15, 2026 20:20
@NickLetts2
security: classify S5332 HTTP hotspots and add NOSONAR annotations
87ec457 
- Create docs/security/internal-networking.md documenting TLS boundary,
  internal Docker networking, hotspot classification, and future considerations
- Add NOSONAR: S5332 comments to all internal Docker-network service URLs
  in production TypeScript source files (health.ts, internal-auth.ts,
  account.ts, messages.ts, blog.ts, admin.ts, billing.ts, logoutCookies.ts,
  e2e auth route, middleware.ts already annotated)
- Add NOSONAR: S5332 comments to marketing-site source files (config.ts,
  search/index.ts)
- Add NOSONAR: S5332 comments to Python production source files
  (analysis-worker config, admin-service config, document-ingestion config,
  shared/config.py, billing-service config, docx_extractor namespace URI)
- Add NOSONAR: S5332 comments to Python test files (analysis-worker
  test_internal_api_key.py, document-ingestion scanner tests, conftest.py
  http://test httpx transport base URLs, ai-orchestrator JSON schema ID)
- Add NOSONAR: S5332 comments to TypeScript test files (MSW handler setup
  lines, playwright configs, checkout/billing E2E test URLs, logoutCookies
  test, admin-visibility E2E spec, publicMessages marketing-site tests)
- Add NOSONAR: S5332 comments to manual test harnesses in data/Testing/

All 323 app-frontend unit tests pass.
All 74 marketing-site unit tests pass.
All 22 document-ingestion service tests pass.
All 14 analysis-worker tests pass.

Agent-Logs-Url: https://github.com/NickLetts2/Curvit/sessions/6ed98df5-a975-4f0d-ac6c-c3d3c87d77b1

Co-authored-by: NickLetts2 <90337962+NickLetts2@users.noreply.github.com>
@NickLetts2
refactor: address code review - fix NOSONAR placement precision
e0ff5fd 
- Remove redundant file-level NOSONAR from internal-auth.ts (keep inline only)
- Replace block-level NOSONAR comment in health.ts with inline-only approach
- Fix conftest.py NOSONAR placement to be inline on URL-containing lines
- Fix test_internal_api_key.py docstring to have NOSONAR outside string literal
- Replace file-level NOSONAR comments in playwright configs with precise
  inline comments on each URL-containing line

Agent-Logs-Url: https://github.com/NickLetts2/Curvit/sessions/6ed98df5-a975-4f0d-ac6c-c3d3c87d77b1

Co-authored-by: NickLetts2 <90337962+NickLetts2@users.noreply.github.com>
@NickLetts2
refactor: fix remaining NOSONAR placement issues per code review
60030b6 
- Move NOSONAR from docstring closing in test_internal_api_key.py to a
  standalone comment line after the docstring
- Clean up file-level comment in publicMessages.test.ts to not embed
  NOSONAR text in a regular comment (inline NOSONAR on call sites retained)

Agent-Logs-Url: https://github.com/NickLetts2/Curvit/sessions/6ed98df5-a975-4f0d-ac6c-c3d3c87d77b1

Co-authored-by: NickLetts2 <90337962+NickLetts2@users.noreply.github.com>
Copilot AI changed the title [WIP] Classify internal Docker HTTP URLs and document safe usage Security: Classify S5332 HTTP hotspots and document internal Docker networking boundary May 15, 2026
Copilot AI requested a review from NickLetts2 May 15, 2026 20:25
@NickLetts2 NickLetts2 marked this pull request as ready for review May 15, 2026 20:34
Copilot AI review requested due to automatic review settings May 15, 2026 20:34
@NickLetts2 NickLetts2 merged commit a548cd2 into main May 15, 2026
6 of 7 checks passed
Copilot AI review requested due to automatic review settings May 15, 2026 20:57
NickLetts2 added a commit that referenced this pull request Jun 1, 2026
@NickLetts2
Merge pull request #284 from NickLetts2/copilot/classify-docker-http-…
d7981c7 
…urls

Security: Classify S5332 HTTP hotspots and document internal Docker networking boundary
@NickLetts2 NickLetts2 deleted the copilot/classify-docker-http-urls branch June 2, 2026 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NickLetts2 NickLetts2 Awaiting requested review from NickLetts2 NickLetts2 is a code owner

Assignees

@NickLetts2 NickLetts2

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Hotspots: Classify internal Docker HTTP URLs and document safe usage

2 participants

@NickLetts2