Duplicate Code Opportunity
Summary
- Pattern: Container security-hardening config block (
cap_drop: ['ALL'], security_opt: ['no-new-privileges:true'], mem_limit, memswap_limit, pids_limit) copied verbatim into three sidecar service builders
- Locations:
api-proxy-service.ts:212–219, doh-proxy-service.ts:37–42, cli-proxy-service.ts:94–98
- Impact: Security settings could silently diverge across sidecars; a reviewer hardening one service must manually update all others
Evidence
src/services/api-proxy-service.ts lines 212–219:
cap_drop: ['ALL'],
security_opt: [
'no-new-privileges:true',
],
// Resource limits to prevent DoS attacks
mem_limit: '512m',
memswap_limit: '512m',
pids_limit: 100,
cpu_shares: 512,
src/services/doh-proxy-service.ts lines 37–42:
// Security hardening: Drop all capabilities
cap_drop: ['ALL'],
security_opt: ['no-new-privileges:true'],
mem_limit: '128m',
memswap_limit: '128m',
pids_limit: 50,
src/services/cli-proxy-service.ts lines 93–98:
cap_drop: ['ALL'],
security_opt: ['no-new-privileges:true'],
mem_limit: '256m',
memswap_limit: '256m',
pids_limit: 50,
cpu_shares: 256,
The cap_drop and security_opt fields are identical across all three. Only the resource-limit values differ.
Suggested Refactoring
Extract a buildContainerSecurityHardening helper in a new src/services/service-security.ts (or add to an existing shared utils file):
interface ContainerResourceLimits {
memLimit: string;
pidsLimit: number;
cpuShares?: number;
}
function buildContainerSecurityHardening(limits: ContainerResourceLimits): Record<string, unknown> {
return {
cap_drop: ['ALL'],
security_opt: ['no-new-privileges:true'],
mem_limit: limits.memLimit,
memswap_limit: limits.memLimit, // match mem_limit
pids_limit: limits.pidsLimit,
...(limits.cpuShares !== undefined && { cpu_shares: limits.cpuShares }),
};
}Each service builder then spreads the result:
const service = {
...buildContainerSecurityHardening({ memLimit: '512m', pidsLimit: 100, cpuShares: 512 }),
// other fields
};This ensures that any future hardening change (e.g., adding read_only: true) propagates automatically.
Affected Files
src/services/api-proxy-service.ts — lines 212–219src/services/doh-proxy-service.ts — lines 37–42src/services/cli-proxy-service.ts — lines 93–98
Effort Estimate
Low
Detected by Duplicate Code Detector workflow. Run date: 2026-05-16
Generated by Duplicate Code Detector · ● 9.9M · ◷
Duplicate Code Opportunity
Summary
cap_drop: ['ALL'],security_opt: ['no-new-privileges:true'],mem_limit,memswap_limit,pids_limit) copied verbatim into three sidecar service buildersapi-proxy-service.ts:212–219,doh-proxy-service.ts:37–42,cli-proxy-service.ts:94–98Evidence
src/services/api-proxy-service.tslines 212–219:src/services/doh-proxy-service.tslines 37–42:src/services/cli-proxy-service.tslines 93–98:The
cap_dropandsecurity_optfields are identical across all three. Only the resource-limit values differ.Suggested Refactoring
Extract a
buildContainerSecurityHardeninghelper in a newsrc/services/service-security.ts(or add to an existing shared utils file):Each service builder then spreads the result:
This ensures that any future hardening change (e.g., adding
read_only: true) propagates automatically.Affected Files
src/services/api-proxy-service.ts— lines 212–219src/services/doh-proxy-service.ts— lines 37–42src/services/cli-proxy-service.ts— lines 93–98Effort Estimate
Low
Detected by Duplicate Code Detector workflow. Run date: 2026-05-16