fix: address review findings (#211) (#215)

* feat: add load/soak tests and nightly job (#202)

* test: reduce streaming perf test flakiness (#202)

* fix: address review findings (#211)

* fix: implement limited stream flush

* fix: use memory-based read async

* test: fix analyzer warnings

* test: stabilize memory pooling perf test

* test: stabilize coordinate pooling perf test

* Fix architecture gate violations

---------

Co-authored-by: Mike McDougall <mike@honua.io>

Author: mikemcdougall

src/Honua.Postgres/Features/Import/InMemoryImportJobService.cs

@@ -40,21 +40,29 @@ public async Task<string> QueueImportAsync(
         long fileSize,
         CancellationToken cancellationToken = default)
     {
-        var jobId = Guid.NewGuid().ToString("N")[..8];
         var format = _importService.DetectFormat(request.FileName) ?? SupportedFileFormat.GeoJson;
         var formatName = format.ToString();
 
-        var progress = ImportProgress.CreateInitial(jobId, request.TableName, format, fileSize);
-        var state = new ImportJobState
+        ImportJobState state;
+        string jobId;
+        while (true)
         {
-            Progress = progress,
-            Request = request,
-            StartedAt = DateTimeOffset.UtcNow,
-            FileSize = fileSize,
-            Format = formatName
-        };
-
-        _jobs[jobId] = state;
+            jobId = Guid.NewGuid().ToString("N")[..8];
+            var progress = ImportProgress.CreateInitial(jobId, request.TableName, format, fileSize);
+            state = new ImportJobState
+            {
+                Progress = progress,
+                Request = request,
+                StartedAt = DateTimeOffset.UtcNow,
+                FileSize = fileSize,
+                Format = formatName
+            };
+
+            if (_jobs.TryAdd(jobId, state))
+            {
+                break;
+            }
+        }
 
         var cts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
         _cancellationTokens[jobId] = cts;

src/Honua.Server/Features/FeatureServer/AttachmentEndpoints.cs

@@ -5,6 +5,7 @@
 using Honua.Core.Features.Attachments.Abstractions;
 using Honua.Core.Features.Catalog.Abstractions;
 using Honua.Server.Features.Infrastructure.Helpers;
+using Honua.Server.Features.Infrastructure.Security;
 using Microsoft.Extensions.Options;
 
 namespace Honua.Server.Features.FeatureServer;
@@ -135,6 +136,7 @@ private static async Task HandleAddAttachment(HttpContext context)
 
         var attachmentStore = context.RequestServices.GetRequiredService<IAttachmentStore>();
         var limitsOptions = context.RequestServices.GetRequiredService<IOptions<LimitsOptions>>();
+        var securityOptions = context.RequestServices.GetRequiredService<IOptions<FileUploadSecurityOptions>>();
         var logger = context.RequestServices.GetRequiredService<ILogger<AttachmentOperations>>();
 
         var result = await AddAttachmentAsync(
@@ -144,6 +146,7 @@ private static async Task HandleAddAttachment(HttpContext context)
             keywords,
             attachmentStore,
             limitsOptions.Value.Attachments,
+            securityOptions.Value,
             logger,
             context.RequestAborted);
 
@@ -320,8 +323,17 @@ private static async Task HandleDownloadAttachment(HttpContext context)
     private static Task<IResult> QueryAttachmentsAsync(int layerId, long featureId, IAttachmentStore attachmentStore, ILogger<AttachmentOperations> logger, CancellationToken cancellationToken)
         => AttachmentHandler.QueryAttachmentsAsync(layerId, featureId, attachmentStore, logger, cancellationToken);
 
-    private static Task<IResult> AddAttachmentAsync(int layerId, long featureId, IFormFile file, string? keywords, IAttachmentStore attachmentStore, AttachmentLimits limits, ILogger<AttachmentOperations> logger, CancellationToken cancellationToken)
-        => AttachmentHandler.AddAttachmentAsync(layerId, featureId, file, keywords, attachmentStore, limits, logger, cancellationToken);
+    private static Task<IResult> AddAttachmentAsync(
+        int layerId,
+        long featureId,
+        IFormFile file,
+        string? keywords,
+        IAttachmentStore attachmentStore,
+        AttachmentLimits limits,
+        FileUploadSecurityOptions securityOptions,
+        ILogger<AttachmentOperations> logger,
+        CancellationToken cancellationToken)
+        => AttachmentHandler.AddAttachmentAsync(layerId, featureId, file, keywords, attachmentStore, limits, securityOptions, logger, cancellationToken);
 
     private static Task<IResult> UpdateAttachmentAsync(int layerId, long featureId, long attachmentId, string? keywords, IAttachmentStore attachmentStore, ILogger<AttachmentOperations> logger, CancellationToken cancellationToken)
         => AttachmentHandler.UpdateAttachmentAsync(layerId, featureId, attachmentId, keywords, attachmentStore, logger, cancellationToken);

src/Honua.Server/Features/FeatureServer/AttachmentHandler.cs

@@ -66,6 +66,7 @@ public static async Task<IResult> AddAttachmentAsync(
         string? keywords,
         IAttachmentStore attachmentStore,
         AttachmentLimits limits,
+        FileUploadSecurityOptions securityOptions,
         ILogger<AttachmentOperations> logger,
         CancellationToken cancellationToken)
     {
@@ -99,7 +100,10 @@ public static async Task<IResult> AddAttachmentAsync(
             }
 
             // Security Layer 4: Validate file content for malicious signatures
-            var contentValidation = await FileUploadSecurity.ValidateFileContentAsync(file, cancellationToken);
+            var contentValidation = await FileUploadSecurity.ValidateFileContentAsync(
+                file,
+                securityOptions.MaxSecurityScanSizeBytes,
+                cancellationToken);
             if (!contentValidation.IsValid)
             {
                 LogSecurityValidationFailed(logger, layerId, featureId, "content", contentValidation.ErrorMessage);

src/Honua.Server/Features/FileStorage/LocalFileStorage.cs

@@ -19,7 +19,7 @@ internal sealed class LocalFileStorage : ICloudFileStorage
     private readonly LocalStorageOptions _options;
     private readonly ILogger<LocalFileStorage> _logger;
     private readonly ConcurrentDictionary<string, CloudFile> _fileIndex;
-    private readonly ConcurrentDictionary<string, HashSet<string>> _batchIndex;
+    private readonly ConcurrentDictionary<string, ConcurrentDictionary<string, byte>> _batchIndex;
     private readonly string _basePath;
     private readonly string _metadataPath;
     private static readonly JsonSerializerOptions _jsonOptions = new()
@@ -39,10 +39,12 @@ public LocalFileStorage(
     {
         _options = options.Value ?? throw new ArgumentNullException(nameof(options));
         _logger = logger ?? throw new ArgumentNullException(nameof(logger));
-        _basePath = _options.BasePath;
+        _basePath = string.IsNullOrWhiteSpace(_options.BasePath)
+            ? Directory.GetCurrentDirectory()
+            : Path.TrimEndingDirectorySeparator(_options.BasePath);
         _metadataPath = Path.Combine(_basePath, ".metadata");
         _fileIndex = new ConcurrentDictionary<string, CloudFile>();
-        _batchIndex = new ConcurrentDictionary<string, HashSet<string>>();
+        _batchIndex = new ConcurrentDictionary<string, ConcurrentDictionary<string, byte>>();
 
         InitializeStorage();
     }
@@ -206,7 +208,7 @@ public async Task<bool> DeleteAsync(string fileId, CancellationToken cancellatio
             // Remove from batch index if present
             foreach (var batch in _batchIndex)
             {
-                batch.Value.Remove(fileId);
+                _ = batch.Value.TryRemove(fileId, out _);
             }
 
             FileStorageLog.FileDeleted(_logger, fileId);
@@ -231,7 +233,7 @@ public async Task<BatchUploadResult> UploadBatchAsync(BatchUploadRequest request
         var uploadedFiles = new List<CloudFile>();
         var failedFiles = new Dictionary<string, string>();
 
-        _batchIndex[batchId] = new HashSet<string>();
+        _batchIndex[batchId] = new ConcurrentDictionary<string, byte>();
 
         foreach (var file in request.Files)
         {
@@ -252,7 +254,7 @@ public async Task<BatchUploadResult> UploadBatchAsync(BatchUploadRequest request
             if (result.Success && result.File is not null)
             {
                 uploadedFiles.Add(result.File);
-                _batchIndex[batchId].Add(result.File.FileId);
+                _ = _batchIndex[batchId].TryAdd(result.File.FileId, 0);
             }
             else
             {
@@ -293,7 +295,7 @@ public async Task<int> DeleteBatchAsync(string batchId, CancellationToken cancel
         }
 
         var deletedCount = 0;
-        foreach (var fileId in fileIds)
+        foreach (var fileId in fileIds.Keys)
         {
             if (await DeleteAsync(fileId, cancellationToken))
             {
@@ -448,8 +450,8 @@ private void LoadExistingMetadata()
                     // Rebuild batch index
                     if (cloudFile.Metadata.TryGetValue("BatchId", out var batchId))
                     {
-                        var batchFiles = _batchIndex.GetOrAdd(batchId, _ => new HashSet<string>());
-                        batchFiles.Add(cloudFile.FileId);
+                        var batchFiles = _batchIndex.GetOrAdd(batchId, _ => new ConcurrentDictionary<string, byte>());
+                        _ = batchFiles.TryAdd(cloudFile.FileId, 0);
                     }
                 }
             }
@@ -475,13 +477,38 @@ private string GetMetadataFilePath(string fileId) =>
     private static string GenerateFileId() =>
         Guid.NewGuid().ToString("N");
 
-    private static string BuildStoragePath(string fileId, string fileName, string? folder)
+    private string BuildStoragePath(string fileId, string fileName, string? folder)
     {
         var extension = Path.GetExtension(fileName);
         var storageName = $"{fileId}{extension}";
 
-        return string.IsNullOrEmpty(folder)
-            ? storageName
-            : Path.Combine(folder, storageName);
+        if (string.IsNullOrWhiteSpace(folder))
+        {
+            return storageName;
+        }
+
+        ValidateFolderPath(folder);
+
+        return Path.Combine(folder, storageName);
+    }
+
+    private static void ValidateFolderPath(string folder)
+    {
+        if (Path.IsPathRooted(folder))
+        {
+            throw new ArgumentException("Folder must be a relative path.", nameof(folder));
+        }
+
+        if (folder.IndexOfAny(Path.GetInvalidPathChars()) >= 0)
+        {
+            throw new ArgumentException("Folder contains invalid path characters.", nameof(folder));
+        }
+
+        var separators = new[] { Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar };
+        var segments = folder.Split(separators, StringSplitOptions.RemoveEmptyEntries);
+        if (segments.Any(segment => segment == ".."))
+        {
+            throw new ArgumentException("Folder must not contain relative traversal segments.", nameof(folder));
+        }
     }
 }

src/Honua.Server/Features/Import/ImportEndpoints.cs

@@ -6,6 +6,7 @@
 using Honua.Server.Features.Infrastructure.Authentication;
 using Honua.Server.Features.Infrastructure.Models;
 using Honua.Server.Features.Infrastructure.Security;
+using Microsoft.Extensions.Options;
 
 namespace Honua.Server.Features.Import;
 
@@ -158,9 +159,11 @@ await ProblemDetailsHelpers.CreateAdminProblem(
         }
 
         IFileImportService importService = context.RequestServices.GetRequiredService<IFileImportService>();
+        var securityOptions = context.RequestServices.GetRequiredService<IOptions<FileUploadSecurityOptions>>();
         var previewValidation = await FileUploadSecurity.ValidateFileAsync(
             file,
             importService.Limits.MaxPreviewSizeBytes,
+            securityOptions.Value.MaxSecurityScanSizeBytes,
             cancellationToken);
         if (!previewValidation.IsValid)
         {
@@ -244,10 +247,12 @@ await WriteErrorAsync(context, "Invalid table name. Use only letters, numbers, a
         }
 
         IFileImportService importService = context.RequestServices.GetRequiredService<IFileImportService>();
+        var securityOptions = context.RequestServices.GetRequiredService<IOptions<FileUploadSecurityOptions>>();
         var maxFileSizeBytes = Math.Max(importService.Limits.BackgroundJobThresholdBytes, importService.Limits.MaxMemoryBytes);
         var uploadValidation = await FileUploadSecurity.ValidateFileAsync(
             file,
             maxFileSizeBytes,
+            securityOptions.Value.MaxSecurityScanSizeBytes,
             cancellationToken);
         if (!uploadValidation.IsValid)
         {

src/Honua.Server/Features/Infrastructure/Caching/ETagService.cs

@@ -16,6 +16,8 @@ internal sealed class ETagService : IETagService
 {
     private const int HashSize = 32; // SHA256 hash size in bytes
     private const int Base64HashSize = 44; // Base64-encoded SHA256 size (rounded up to nearest 4-byte boundary)
+    // Base64-encoded SHA256 hash of empty content with padding trimmed to match ComputeETag formatting.
+    private const string EmptyContentHash = "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU";
 
     /// <summary>
     /// Computes an ETag for a given object by serializing it and hashing the content.
@@ -44,8 +46,8 @@ public string ComputeETag(ReadOnlySpan<byte> data)
     {
         if (data.IsEmpty)
         {
-            // Return a consistent ETag for empty content
-            return "\"d41d8cd98f00b204e9800998ecf8427e\"";
+            // Return a consistent ETag for empty content (SHA256 hash of empty payload).
+            return $"\"{EmptyContentHash}\"";
         }
 
         // Compute SHA256 hash
@@ -122,13 +124,12 @@ public bool IsModified(string? ifNoneMatch, string currentETag)
         // Parse multiple ETags (comma-separated)
         var etags = ifNoneMatch.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
 
+        var current = ParseETag(currentETag);
         foreach (var etag in etags)
         {
-            // Normalize ETags for comparison (remove quotes if present)
-            var normalizedIfNoneMatch = NormalizeETag(etag);
-            var normalizedCurrent = NormalizeETag(currentETag);
-
-            if (string.Equals(normalizedIfNoneMatch, normalizedCurrent, StringComparison.Ordinal))
+            // If-None-Match uses weak comparison for GET/HEAD.
+            var candidate = ParseETag(etag);
+            if (string.Equals(candidate.Value, current.Value, StringComparison.Ordinal))
             {
                 return false; // ETag matches, resource not modified
             }
@@ -161,13 +162,17 @@ public bool MatchesPrecondition(string? ifMatch, string currentETag)
         // Parse multiple ETags (comma-separated)
         var etags = ifMatch.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
 
+        var current = ParseETag(currentETag);
         foreach (var etag in etags)
         {
-            // Normalize ETags for comparison (remove quotes if present)
-            var normalizedIfMatch = NormalizeETag(etag);
-            var normalizedCurrent = NormalizeETag(currentETag);
+            // If-Match requires strong comparison; weak tags never match.
+            var candidate = ParseETag(etag);
+            if (candidate.IsWeak || current.IsWeak)
+            {
+                continue;
+            }
 
-            if (string.Equals(normalizedIfMatch, normalizedCurrent, StringComparison.Ordinal))
+            if (string.Equals(candidate.Value, current.Value, StringComparison.Ordinal))
             {
                 return true; // ETag matches, precondition passes
             }
@@ -203,26 +208,27 @@ public void SetCacheHeaders(HttpResponse response, string etag, DateTimeOffset?
         }
     }
 
-    /// <summary>
-    /// Normalizes an ETag by removing surrounding quotes and whitespace.
-    /// </summary>
-    /// <param name="etag">The ETag to normalize</param>
-    /// <returns>The normalized ETag without quotes</returns>
-    private static string NormalizeETag(string etag)
+    private static (string Value, bool IsWeak) ParseETag(string etag)
     {
-        if (string.IsNullOrEmpty(etag))
+        if (string.IsNullOrWhiteSpace(etag))
         {
-            return string.Empty;
+            return (string.Empty, false);
         }
 
         var trimmed = etag.Trim();
+        var isWeak = false;
+
+        if (trimmed.StartsWith("W/", StringComparison.OrdinalIgnoreCase))
+        {
+            isWeak = true;
+            trimmed = trimmed[2..].TrimStart();
+        }
 
-        // Remove quotes if present
         if (trimmed.StartsWith('"') && trimmed.EndsWith('"') && trimmed.Length >= 2)
         {
-            return trimmed[1..^1];
+            trimmed = trimmed[1..^1];
         }
 
-        return trimmed;
+        return (trimmed, isWeak);
     }
 }