Bug description

Using the API, it is possible to create a partition with special characters such as \n and ', but trying to delete the partition fails. Behavior replicated at https://ragondin-twake-staging.linagora.com/ and locally with the Docker CPU image.

To Reproduce

1. Use the API on the Swagger documentation, e.g. at https://ragondin-twake-staging.linagora.com/
2. Create any file in a partition that contains ' in its identifier, using POST /indexer/partition/{partition}/file/{file_id}, for example !"#$%&'()*+,-.0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_abcdefghijklmnopqrstuvwxyz{|}~` works
3. GET /partition/ and GET /partition/check-file/{partition}/file/{file_id} work as intended
4. GET /partition/{partition} succeeds but does not quote special characters in URL (either in partition or in file_id)
5. GET /partition/{partition}/file/{file_id} fails with error 500: Failed to fetch file chunks.
6. DELETE /partition/{partition} fails with error 404: Partition not found.

Expected behavior

If a partition name with special characters is successfully created, the server must be able to retrieve its files and delete it.

Additional context

The error is caused by unsafe string interpolation when filtering against the partition name or the file id.
Here's one of the problematic lines:

Currently, the vulnerability has no impact since (as far as I know) Ragondin is not used by any end-user application with RBAC or frontend: there is no external UI that enables a user to specify a partition name. Therefore, only users who are authorized to create a partition can trigger the SQL injection.

API version

/openapi.json

{
  "openapi":"3.1.0",
  "info":{"title":"FastAPI","version":"0.1.0"},
  // ...
}