[Flask] Question of outsourcing flask app

Gergely Polonkai gergely at polonkai.eu
Wed Jun 5 00:34:47 EDT 2019 

Hello,

what you outline is not a terrible idea, and not too hard to code. However,
there are a lot of pitfalls, some of which were mentioned by others.

First, you should download the config before you initialise your app. This
isnʼt hard, you can do it with external commands like proposed before, or a
few lines of Python using the http or requests (and a lot more) libraries.

When you have your file, you should check its integrity. Is this file what
it claims to be? Was this file generated by a trusted party? You may ask
the people who generate the file to cryptographically sign it so you can
check it before deploying it. If the signature is not good, you can fall
back to a previous, good file. All this is especially true if you download
this file from a service on an external network so you can avoid man in the
middle attacks.

Now that you know you can trust the file, you should still check for other
errors. Weʼre all humans and as such, make mistakes. The file might have
syntax errors, conflicting configuration options like “turn on caching” but
without a cache backend set, or the likes.

And finally, you can fire up your app!

Happy Coding!

Gergely

On Tue, 4 Jun 2019, 20:51 matar fall, <matfall94 at gmail.com> wrote:

> Got it.
> Thank You for sharing your knowledge.
> I will handle and take into account all your suggestions.
> Regards.
>
> Le mar. 4 juin 2019 à 19:35, keith macdonald <keith at the-sanctuary.biz> a
> écrit :
>
>> I agree with Adil about the security risk - how would you know what's in
>> the
>> remote file *before* it gets used?
>>
>> But, if you must go that route, how about running a Curl command from
>> inside
>> the Python code, just before the Flask app is initialized? With the Curl
>> program saving the file to somewhere local.
>>
>> For example:
>>
>> # get remote file
>> import os
>> cmd = "C:/Curl/curl.exe www.test.fr/config.py -o C:/Download/config.py
>> # or (instead of a Download folder) whatever folder is good for the local
>> code.
>> os.system(cmd)
>>
>> # now start Flask app
>> import config as config
>> from flask import Flask
>> app = Flask(__name__)
>>
>> _______________________________________________
>> Flask mailing list
>> Flask at python.org
>> https://mail.python.org/mailman/listinfo/flask
>>
> _______________________________________________
> Flask mailing list
> Flask at python.org
> https://mail.python.org/mailman/listinfo/flask
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/flask/attachments/20190605/7f4b3786/attachment-0001.html>

More information about the Flask mailing list