rene/banyaro
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Security Nice-to-Have: Dockerfile, Magic-Bytes, Path-Traversal, TABLE_MAP, Deps

Browse source 
- Dockerfile: non-root user appuser, chown /data + /app
- media_utils: validate_upload() Magic-Byte-Check (JPEG/PNG/GIF/WebP/MP4/WebM)
- media_utils: safe_media_path() Path-Traversal-Schutz beim Löschen
- diary/health/dogs: safe_media_path() statt os.path.join + lstrip
- diary: validate_upload() vor jedem Medien-Upload
- forum: _LIKE_TABLE dict statt dynamischer String-Interpolation
- requirements: uvicorn 0.34, PyJWT 2.10.1, pydantic 2.10.6, bcrypt 4.3, httpx 0.28.1, anthropic 0.49
- SW by-v319, APP_VER 307
This commit is contained in:
rene 2026-04-23 18:42:05 +02:00
parent 15f854d96c
commit 71e588a240
9 changed files with 100 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

14
backend/routes/health.py
View file

@ -7,6 +7,7 @@ from pydantic import BaseModel
from typing import Optional
from database import db
from auth import get_current_user
from media_utils import safe_media_path
router = APIRouter()
MEDIA_DIR = os.getenv("MEDIA_DIR", "/data/media")
@ -219,10 +220,8 @@ async def delete_dokument(dog_id: int, entry_id: int, user=Depends(get_current_u
datei_url = entry["datei_url"]
if datei_url:
# datei_url z.B. "/media/health/health_42_abc12345.pdf"
filename = datei_url.lstrip("/media/")
path = os.path.join(MEDIA_DIR, filename)
if os.path.isfile(path):
path = safe_media_path(MEDIA_DIR, datei_url)
if path and os.path.isfile(path):
os.remove(path)
conn.execute(
@ -338,9 +337,10 @@ async def delete_media_item(dog_id: int, entry_id: int, media_id: int,
).fetchone()
if not row:
raise HTTPException(404, "Medium nicht gefunden.")
file_path = os.path.join(MEDIA_DIR, row["url"].lstrip("/media/"))
try: os.remove(file_path)
except OSError: pass
file_path = safe_media_path(MEDIA_DIR, row["url"])
if file_path:
try: os.remove(file_path)
except OSError: pass
conn.execute("DELETE FROM health_media WHERE id=?", (media_id,))