From bfb47da39875f3fb8e22318459b6e16c55ca49a7 Mon Sep 17 00:00:00 2001
From: Alex <a@tushynski.me>
Date: Tue, 14 Mar 2023 11:34:55 +0000
Subject: [PATCH] security things

---
 application/app.py  | 14 +++++++-------
 docker-compose.yaml | 11 ++++++++++-
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/application/app.py b/application/app.py
index a136cc71..d31fadae 100644
--- a/application/app.py
+++ b/application/app.py
@@ -307,10 +307,10 @@ def upload_file():
     """Upload a file to get vectorized and indexed."""
     if 'user' not in request.form:
         return {"status": 'no user'}
-    user = request.form['user']
+    user = secure_filename(request.form['user'])
     if 'name' not in request.form:
         return {"status": 'no name'}
-    job_name = request.form['name']
+    job_name = secure_filename(request.form['name'])
     # check if the post request has the file part
     if 'file' not in request.files:
         print('No file part')
@@ -350,10 +350,10 @@ def upload_index_files():
     """Upload two files(index.faiss, index.pkl) to the user's folder."""
     if 'user' not in request.form:
         return {"status": 'no user'}
-    user = request.form['user']
+    user = secure_filename(request.form['user'])
     if 'name' not in request.form:
         return {"status": 'no name'}
-    job_name = request.form['name']
+    job_name = secure_filename(request.form['name'])
     if 'file_faiss' not in request.files:
         print('No file part')
         return {"status": 'no file'}
@@ -389,9 +389,9 @@ def upload_index_files():
 
 @app.route('/api/download', methods=['get'])
 def download_file():
-    user = request.args.get('user')
-    job_name = request.args.get('name')
-    filename = request.args.get('file')
+    user = secure_filename(request.args.get('user'))
+    job_name = secure_filename(request.args.get('name'))
+    filename = secure_filename(request.args.get('file'))
     save_dir = os.path.join(app.config['UPLOAD_FOLDER'], user, job_name)
     return send_from_directory(save_dir, filename, as_attachment=True)
 
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 2a968686..a30ec7a2 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -14,6 +14,14 @@ services:
     build: ./application
     ports:
       - "5001:5001"
+    volumes:
+      - app_data_container:/app
+    depends_on:
+        - redis
+        - mongo
+  worker:
+    build: ./application
+    command: celery -A app.celery worker -l info
     depends_on:
         - redis
         - mongo
@@ -33,4 +41,5 @@ services:
 
 
 volumes:
-  mongodb_data_container:
\ No newline at end of file
+  mongodb_data_container:
+  app_data_container:
\ No newline at end of file