Security Nice-to-Have: Dockerfile, Magic-Bytes, Path-Traversal, TABLE_MAP, Deps
- Dockerfile: non-root user appuser, chown /data + /app - media_utils: validate_upload() Magic-Byte-Check (JPEG/PNG/GIF/WebP/MP4/WebM) - media_utils: safe_media_path() Path-Traversal-Schutz beim Löschen - diary/health/dogs: safe_media_path() statt os.path.join + lstrip - diary: validate_upload() vor jedem Medien-Upload - forum: _LIKE_TABLE dict statt dynamischer String-Interpolation - requirements: uvicorn 0.34, PyJWT 2.10.1, pydantic 2.10.6, bcrypt 4.3, httpx 0.28.1, anthropic 0.49 - SW by-v319, APP_VER 307
This commit is contained in:
parent
15f854d96c
commit
71e588a240
9 changed files with 100 additions and 29 deletions
10
Dockerfile
10
Dockerfile
|
|
@ -8,6 +8,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
|||
ffmpeg \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Non-root user für sichereren Betrieb
|
||||
RUN adduser --disabled-password --gecos "" appuser
|
||||
|
||||
# Python-Dependencies zuerst (Docker Layer Cache)
|
||||
COPY backend/requirements.txt .
|
||||
RUN pip install --no-cache-dir -r requirements.txt
|
||||
|
|
@ -15,8 +18,11 @@ RUN pip install --no-cache-dir -r requirements.txt
|
|||
# App-Code
|
||||
COPY backend/ .
|
||||
|
||||
# Media-Verzeichnis
|
||||
RUN mkdir -p /data/media/dogs /data/media/diary /data/media/poison
|
||||
# Media-Verzeichnis mit korrekten Rechten für appuser
|
||||
RUN mkdir -p /data/media/dogs /data/media/diary /data/media/poison \
|
||||
&& chown -R appuser:appuser /data /app
|
||||
|
||||
USER appuser
|
||||
|
||||
EXPOSE 8000
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue