security things

2025-11-29 08:33:20 +00:00 · 2023-03-14 11:34:55 +00:00
parent cb96d90563
commit bfb47da398
2 changed files with 17 additions and 8 deletions
--- a/application/app.py
+++ b/application/app.py
@@ -307,10 +307,10 @@ def upload_file():
    """Upload a file to get vectorized and indexed."""
    if 'user' not in request.form:
        return {"status": 'no user'}
-    user = request.form['user']
+    user = secure_filename(request.form['user'])
    if 'name' not in request.form:
        return {"status": 'no name'}
-    job_name = request.form['name']
+    job_name = secure_filename(request.form['name'])
    # check if the post request has the file part
    if 'file' not in request.files:
        print('No file part')
@@ -350,10 +350,10 @@ def upload_index_files():
    """Upload two files(index.faiss, index.pkl) to the user's folder."""
    if 'user' not in request.form:
        return {"status": 'no user'}
-    user = request.form['user']
+    user = secure_filename(request.form['user'])
    if 'name' not in request.form:
        return {"status": 'no name'}
-    job_name = request.form['name']
+    job_name = secure_filename(request.form['name'])
    if 'file_faiss' not in request.files:
        print('No file part')
        return {"status": 'no file'}
@@ -389,9 +389,9 @@ def upload_index_files():

@app.route('/api/download', methods=['get'])
 def download_file():
-    user = request.args.get('user')
-    job_name = request.args.get('name')
-    filename = request.args.get('file')
+    user = secure_filename(request.args.get('user'))
+    job_name = secure_filename(request.args.get('name'))
+    filename = secure_filename(request.args.get('file'))
    save_dir = os.path.join(app.config['UPLOAD_FOLDER'], user, job_name)
    return send_from_directory(save_dir, filename, as_attachment=True)

--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -14,6 +14,14 @@ services:
    build: ./application
    ports:
      - "5001:5001"
+    volumes:
+      - app_data_container:/app
+    depends_on:
+        - redis
+        - mongo
+  worker:
+    build: ./application
+    command: celery -A app.celery worker -l info
    depends_on:
        - redis
        - mongo
@@ -33,4 +41,5 @@ services:


 volumes:
-  mongodb_data_container:
+  mongodb_data_container:
+  app_data_container: