rene
71e588a240
- Dockerfile: non-root user appuser, chown /data + /app - media_utils: validate_upload() Magic-Byte-Check (JPEG/PNG/GIF/WebP/MP4/WebM) - media_utils: safe_media_path() Path-Traversal-Schutz beim Löschen - diary/health/dogs: safe_media_path() statt os.path.join + lstrip - diary: validate_upload() vor jedem Medien-Upload - forum: _LIKE_TABLE dict statt dynamischer String-Interpolation - requirements: uvicorn 0.34, PyJWT 2.10.1, pydantic 2.10.6, bcrypt 4.3, httpx 0.28.1, anthropic 0.49 - SW by-v319, APP_VER 307
29 lines
720 B
Docker
29 lines
720 B
Docker
FROM python:3.12-slim
|
|
|
|
WORKDIR /app
|
|
|
|
# System-Dependencies
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
gcc \
|
|
ffmpeg \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Non-root user für sichereren Betrieb
|
|
RUN adduser --disabled-password --gecos "" appuser
|
|
|
|
# Python-Dependencies zuerst (Docker Layer Cache)
|
|
COPY backend/requirements.txt .
|
|
RUN pip install --no-cache-dir -r requirements.txt
|
|
|
|
# App-Code
|
|
COPY backend/ .
|
|
|
|
# Media-Verzeichnis mit korrekten Rechten für appuser
|
|
RUN mkdir -p /data/media/dogs /data/media/diary /data/media/poison \
|
|
&& chown -R appuser:appuser /data /app
|
|
|
|
USER appuser
|
|
|
|
EXPOSE 8000
|
|
|
|
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000", "--proxy-headers"]
|