feat: FASE 7 - Polish & Testing (security, i18n, test suite, docs)

Security hardening: CORS lockdown, rate limiting middleware con sliding window e eviction IP stale, security headers (CSP, HSTS, X-Frame-Options), session cookie hardening, filename sanitization upload. i18n completion: internazionalizzati barcode.js e csv-export.js con bridge window.BARCODE_I18N/CSV_I18N, aggiornati .po IT/EN con 27 nuove stringhe. Tablet UX: touch target 44px per dispositivi coarse pointer. Test suite: 101 test totali (76 server + 25 client), copertura completa di tutti i router API, autenticazione, ruoli, CRUD, SPC, file upload, security integration. Infrastruttura SQLite async in-memory con fixtures. Fix critici: MissingGreenlet in recipe_service (selectinload eager), route ordering tasks.py, auth_service bcrypt diretto, Measurement.id Integer per SQLite. Documentazione: API.md (riferimento completo 40+ endpoint), DEPLOYMENT.md (guida produzione con Docker/Nginx/SSL), USER_GUIDE.md (manuale utente per ruolo). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 17:10:24 +01:00
parent 26e5b9343d
commit dd2ebf863a
46 changed files with 6322 additions and 90 deletions
@@ -1,5 +1,6 @@
 """File upload/download/delete router for images and PDFs."""
 import os
+import re
 from pathlib import Path

 from fastapi import APIRouter, Depends, File, HTTPException, UploadFile, status
@@ -29,6 +30,41 @@ def validate_file_size(file_size: int) -> bool:
    return file_size <= max_bytes


+def sanitize_filename(filename: str) -> str:
+    """Sanitize an uploaded filename to prevent path traversal and injection.
+
+    - Strips directory path separators (/ and \\).
+    - Only allows alphanumeric characters, dots, hyphens, and underscores.
+    - Rejects filenames starting with '.' (hidden files).
+    - Rejects empty filenames.
+
+    Returns:
+        The sanitized filename.
+
+    Raises:
+        HTTPException: If filename is empty or starts with '.'.
+    """
+    # Strip any path separators to prevent directory traversal
+    filename = filename.replace("/", "").replace("\\", "")
+
+    # Remove any characters not in the allowed set
+    filename = re.sub(r"[^a-zA-Z0-9._-]", "", filename)
+
+    if not filename:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Filename is empty or contains only invalid characters.",
+        )
+
+    if filename.startswith("."):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Filenames starting with '.' are not allowed.",
+        )
+
+    return filename
+
+
 def generate_thumbnail(image_path: Path, thumbnail_path: Path, max_size: tuple[int, int] = (200, 200)):
    """Generate a thumbnail for an image."""
    try:
@@ -78,15 +114,18 @@ async def upload_file(

    storage_dir.mkdir(parents=True, exist_ok=True)

+    # Sanitize the uploaded filename
+    safe_filename = sanitize_filename(file.filename or "")
+
    # Generate unique filename if file already exists
-    file_path = storage_dir / file.filename
+    file_path = storage_dir / safe_filename
    counter = 1
    while file_path.exists():
-        name_parts = file.filename.rsplit(".", 1)
+        name_parts = safe_filename.rsplit(".", 1)
        if len(name_parts) == 2:
            file_path = storage_dir / f"{name_parts[0]}_{counter}.{name_parts[1]}"
        else:
-            file_path = storage_dir / f"{file.filename}_{counter}"
+            file_path = storage_dir / f"{safe_filename}_{counter}"
        counter += 1

    # Write file
@@ -180,46 +180,6 @@ async def create_task(
    return TaskResponse.model_validate(new_task)


-@router.put("/api/tasks/{task_id}", response_model=TaskResponse)
-async def update_task(
-    task_id: int,
-    data: TaskUpdate,
-    _user: User = Depends(require_maker),
-    db: AsyncSession = Depends(get_db),
-):
-    """Update a task. The task must belong to the current version. Requires Maker role."""
-    task = await _get_task_or_404(db, task_id)
-    await _ensure_version_is_current(db, task.version_id)
-
-    update_data = data.model_dump(exclude_unset=True)
-    if not update_data:
-        return TaskResponse.model_validate(task)
-
-    for field, value in update_data.items():
-        setattr(task, field, value)
-
-    await db.flush()
-    await db.refresh(task, attribute_names=["subtasks"])
-    return TaskResponse.model_validate(task)
-
-
-@router.delete("/api/tasks/{task_id}", status_code=204)
-async def delete_task(
-    task_id: int,
-    _user: User = Depends(require_maker),
-    db: AsyncSession = Depends(get_db),
-):
-    """Delete a task and its subtasks. The task must belong to the current version.
-
-    Requires Maker role.
-    """
-    task = await _get_task_or_404(db, task_id)
-    await _ensure_version_is_current(db, task.version_id)
-
-    await db.delete(task)
-    await db.flush()
-
-
@router.put("/api/tasks/reorder", response_model=list[TaskResponse])
 async def reorder_tasks(
    data: TaskReorderRequest,
@@ -270,6 +230,46 @@ async def reorder_tasks(
    return [TaskResponse.model_validate(t) for t in ordered]


+@router.put("/api/tasks/{task_id}", response_model=TaskResponse)
+async def update_task(
+    task_id: int,
+    data: TaskUpdate,
+    _user: User = Depends(require_maker),
+    db: AsyncSession = Depends(get_db),
+):
+    """Update a task. The task must belong to the current version. Requires Maker role."""
+    task = await _get_task_or_404(db, task_id)
+    await _ensure_version_is_current(db, task.version_id)
+
+    update_data = data.model_dump(exclude_unset=True)
+    if not update_data:
+        return TaskResponse.model_validate(task)
+
+    for field, value in update_data.items():
+        setattr(task, field, value)
+
+    await db.flush()
+    await db.refresh(task, attribute_names=["subtasks"])
+    return TaskResponse.model_validate(task)
+
+
+@router.delete("/api/tasks/{task_id}", status_code=204)
+async def delete_task(
+    task_id: int,
+    _user: User = Depends(require_maker),
+    db: AsyncSession = Depends(get_db),
+):
+    """Delete a task and its subtasks. The task must belong to the current version.
+
+    Requires Maker role.
+    """
+    task = await _get_task_or_404(db, task_id)
+    await _ensure_version_is_current(db, task.version_id)
+
+    await db.delete(task)
+    await db.flush()
+
+
 # ---------------------------------------------------------------------------
 # Subtask endpoints
 # ---------------------------------------------------------------------------