trottomv · trottomv · Sep 4, 2025
diff --git a/.env_temp b/.env_temp
@@ -1,4 +1,4 @@
-APP_IMAGE=python-insecure-app:latest
+APP_IMAGE=python-insecure-app:wolfi-distroless
 COMPOSE_FILE=docker-compose.yaml
 DEBUG=True
 [email protected]

diff --git a/Dockerfile.alpine b/Dockerfile.alpine
@@ -3,7 +3,7 @@
 FROM python:3.13-alpine@sha256:e5fa639e49b85986c4481e28faa2564b45aa8021413f31026c3856e5911618b1 AS alpine
 
 LABEL project="Python Insecure App" service="FastAPI" stage="alpine"
-# RUN python3 -m pip install --upgrade pip~=25.3
+RUN python3 -m pip install --upgrade pip~=25.3
 ENV NONROOT=nonroot \
 	LANG=C.UTF-8 \
 	LC_ALL=C.UTF-8 \

diff --git a/app/config.py b/app/config.py
@@ -10,6 +10,6 @@
 
 PUBLIC_IP_SERVICE_URL = os.getenv("PUBLIC_IP_SERVICE_URL")
 
-SUPER_SECRET_NAME = "John Ripper"  # FIXME: os.getenv("SUPER_SECRET_NAME")
+SUPER_SECRET_NAME = os.getenv("SUPER_SECRET_NAME")
 
-SUPER_SECRET_TOKEN = "5u93R53Cr3tT0k3n"  # FIXME: os.getenv("SUPER_SECRET_TOKEN")
+SUPER_SECRET_TOKEN = os.getenv("SUPER_SECRET_TOKEN")
diff --git a/app/main.py b/app/main.py
@@ -28,14 +28,13 @@ async def try_hack_me(name: str = config.SUPER_SECRET_NAME):
     """
     try:
         # Get the public IP address from an external service
-        public_ip_response = requests.get(config.PUBLIC_IP_SERVICE_URL)
+        public_ip_response = requests.get(config.PUBLIC_IP_SERVICE_URL, timeout=5)
         public_ip_response.raise_for_status()
     except (requests.HTTPError, requests.exceptions.InvalidSchema):
         public_ip = "Unknown"
     else:
         public_ip = public_ip_response.text
     name = name or config.SUPER_SECRET_NAME
-    content = f"<h1>Hello, {name}!</h1><h2>Public IP: <code>{public_ip}</code></h2>"
-    # https://fastapi.tiangolo.com/advanced/custom-response/#return-a-response
-    # FIXME: return HTMLResponse(content)
-    return Template(content).render()
+    content = "<h1>Hello, {{name}}!</h1><h2>Public IP: <code>{{public_ip}}</code></h2>"
+    # FIXME: https://fastapi.tiangolo.com/advanced/custom-response/#return-a-response
+    return Template(content).render(name=name, public_ip=public_ip)
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
@@ -10,7 +10,7 @@
 (waf_rules) {
     coraza_waf {
         directives `
-            SecRuleEngine Off
+            SecRuleEngine On
             SecRequestBodyAccess On
             SecRequestBodyLimitAction Reject
             SecDebugLogLevel 9

diff --git a/requirements/common.in b/requirements/common.in
@@ -1,4 +1,4 @@
 -r base.in
-fastapi[standard]~=0.115.0
-jinja2~=3.0.0
+fastapi[standard]~=0.120.0
+jinja2~=3.1.0
 requests~=2.32.0
diff --git a/tests/test_main.py b/tests/test_main.py
@@ -35,8 +35,7 @@ def test_root(requests_mock):
         response.content.decode()
         == "<h1>Hello, Bob!</h1><h2>Public IP: <code>123.45.67.89</code></h2>"
     )
-    # TODO
-    # response = client.get("/?name={{7*6}}")
-    # assert response.status_code == 200
-    # assert "42" not in response.content.decode()
-    # assert "{{7*6}}" in response.content.decode()
+    response = client.get("/?name={{7*6}}")
+    assert response.status_code == 200
+    assert "42" not in response.content.decode()
+    assert "{{7*6}}" in response.content.decode()