FROM python:3.11-slim

# Which sqlparse to install. Set per-stack from docker-compose:
#   vuln    -> 0.4.4 (last vulnerable release, CVE-2024-4340)
#   patched -> 0.5.0 (fixed release)
ARG SQLPARSE_VERSION

# Pin the rest of the stack so behavior is reproducible.
RUN pip install --no-cache-dir \
        "sqlparse==${SQLPARSE_VERSION}" \
        "flask==3.0.3" \
        "gunicorn==22.0.0"

WORKDIR /app
COPY app.py /app/app.py

# Run unbuffered so the worker's RecursionError traceback reaches the
# container log stream immediately (observable via `docker logs`).
ENV PYTHONUNBUFFERED=1

EXPOSE 8000

# Single sync worker so a worker death is unambiguous and easy to observe.
# --timeout 120 ensures a crash is attributable to RecursionError, never to
# a worker-timeout kill. Capture access + error logs to stdout/stderr.
CMD ["gunicorn", \
     "--bind", "0.0.0.0:8000", \
     "--workers", "1", \
     "--worker-class", "sync", \
     "--timeout", "120", \
     "--access-logfile", "-", \
     "--error-logfile", "-", \
     "--capture-output", \
     "--log-level", "info", \
     "app:app"]
