ansible/flaskpaste
1
0
Fork 0
forked from claw/flaskpaste
Code Pull Requests Activity

security: implement pentest remediation (RATE-002, CLI-001)

Browse Source 
RATE-002: Proactive rate limit cleanup when entries exceed threshold
- Add RATE_LIMIT_CLEANUP_THRESHOLD config (default 0.8)
- Trigger cleanup before hitting hard limit
- Prevents memory exhaustion under sustained load

CLI-001: Validate clipboard tool paths against trusted directories
- Add TRUSTED_CLIPBOARD_DIRS for Unix system paths
- Add TRUSTED_WINDOWS_PATTERNS for Windows validation
- Reject tools in user-writable locations (PATH hijack prevention)
- Use absolute paths in subprocess calls
This commit is contained in:
Username
2025-12-24 22:03:17 +01:00
parent 89eee3378a
commit 1fbb69d7f9
6 changed files with 240 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/config.py
View File

@@ -101,6 +101,10 @@ class Config:
RATE_LIMIT_AUTH_MULTIPLIER = int(os.environ.get("FLASKPASTE_RATE_AUTH_MULT", "5"))
# Maximum unique IPs tracked in rate limit storage (RATE-001: memory DoS protection)
RATE_LIMIT_MAX_ENTRIES = int(os.environ.get("FLASKPASTE_RATE_MAX_ENTRIES", "10000"))
# RATE-002: Cleanup threshold (0.0-1.0) - trigger cleanup when entries exceed this ratio
RATE_LIMIT_CLEANUP_THRESHOLD = float(
os.environ.get("FLASKPASTE_RATE_CLEANUP_THRESHOLD", "0.8")
)
# Audit Logging
# Track security-relevant events (paste creation, deletion, rate limits, etc.)