security: fix auth SQLi and add request timeouts in x2text-service

Author: RinZ27

x2text-service/app/authentication_middleware.py

@@ -8,6 +8,7 @@
 
 
 def authentication_middleware(func: Any) -> Any:
+    """Decorator to enforce bearer token authentication on flask routes."""
     def wrapper(*args: Any, **kwargs: Any) -> Any:
         token = AuthenticationMiddleware.get_token_from_auth_header(request)
         # Check if bearer token exists and validate it
@@ -23,13 +24,14 @@ def wrapper(*args: Any, **kwargs: Any) -> Any:
 class AuthenticationMiddleware:
     @classmethod
     def validate_bearer_token(cls, token: str | None) -> bool:
+        """Validate the provided bearer token against the database."""
         try:
             if token is None:
                 current_app.logger.error("Authentication failed. Empty bearer token")
                 return False
             platform_key_table = f'"{Env.DB_SCHEMA}".{DBTable.PLATFORM_KEY}'
-            query = f"SELECT * FROM {platform_key_table} WHERE key = '{token}'"
-            cursor = be_db.execute_sql(query)
+            query = f"SELECT * FROM {platform_key_table} WHERE key = %s"
+            cursor = be_db.execute_sql(query, (token,))
             result_row = cursor.fetchone()
             cursor.close()
             if not result_row or len(result_row) == 0:
@@ -62,6 +64,7 @@ def validate_bearer_token(cls, token: str | None) -> bool:
 
     @classmethod
     def get_token_from_auth_header(cls, request: Request) -> str | None:
+        """Extract the bearer token from the Authorization header."""
         try:
             bearer_token = request.headers.get("Authorization")
             if not bearer_token:
@@ -99,6 +102,7 @@ def get_organization_from_bearer_token(cls, token: str) -> tuple[int | None, str
 
     @classmethod
     def execute_query(cls, query: str, params: tuple = ()) -> Any:
+        """Execute a SQL query and return the first result."""
         cursor = be_db.execute_sql(query, params)
         result_row = cursor.fetchone()
         cursor.close()

x2text-service/app/controllers/controller.py

@@ -26,13 +26,15 @@
 
 @basic.route("/health", methods=["GET"])
 def health() -> str:
+    """Check the health status of the service."""
     logging.info("Checking health from : %s", request.remote_addr)
     return "OK"
 
 
 @basic.route("/test-connection", methods=["POST"])
 @authentication_middleware
 def test_connection() -> Any:
+    """Test the connection to the Unstructured API."""
     logging.info("Received a test connection request from %s", request.remote_addr)
     form_data = dict(request.form)
     unstructured_api_key = X2TextUtil.get_value_for_key(UNSTRUCTURED_API_KEY, form_data)
@@ -54,7 +56,7 @@ def test_connection() -> Any:
             headers=headers,
             data=None,
             files=files,
-            timeout=None,
+            timeout=60,
         )
 
         if response.status_code == 400:
@@ -76,6 +78,7 @@ def test_connection() -> Any:
 @basic.route("/process", methods=["POST"])
 @authentication_middleware
 def process() -> Any:
+    """Process a document for text extraction."""
     logging.info("Received a doc processing request from %s", request.remote_addr)
     form_data = dict(request.form)
     url = X2TextUtil.get_value_for_key(UNSTRUCTURED_URL, form_data)
@@ -122,7 +125,7 @@ def process() -> Any:
         headers=headers,
         data=payload,
         files=files,
-        timeout=None,
+        timeout=60,
     )
     if response.ok:
         json_response = response.json()