ansible/flaskpaste
1
0
Fork 0
forked from claw/flaskpaste
Code Pull Requests Activity

docs: update documentation after pentest remediation

Browse Source 
- TASKLIST.md: add pentest tasks to completed section
- TODO.md: add observation about pentest completion
- ROADMAP.md: update test count (301), add decision log entry
- PROJECT.md: update test count (301)
- SECURITY.md: remove obsolete limitations, add v1.5.0 changes
This commit is contained in:
Username
2025-12-24 23:33:15 +01:00
parent 3a76453828
commit 3059d533bc
5 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
PROJECT.md
View File

@@ -151,6 +151,6 @@ A self-hosted pastebin API that:
│ Public certificate registration │ Complete
│ CLI register command │ Complete
│ systemd deployment │ Complete (security-hardened)
│ Test suite │ 291 tests passing
│ Test suite │ 301 tests passing
└─────────────────────────────────┴────────────────────────────────────────────┘
```

6
ROADMAP.md
View File

@@ -29,7 +29,8 @@ FlaskPaste v1.5.0 is deployed with comprehensive security hardening and abuse pr
- CLI with list, search, update, export commands
- Public certificate registration (PoW-protected)
- CLI register command for certificate enrollment
- Comprehensive test suite (284 tests)
- Comprehensive test suite (301 tests)
- Complete security pentest remediation (15 items)
- PKI audit logging (certificate lifecycle events)
- Request duration metrics (Prometheus histogram)
- Memory leak detection in CI pipeline
@@ -48,7 +49,7 @@ Focus: Production readiness and operational excellence.
│ 4 │ Proxy trust validation │ Done
│ 5 │ Proof-of-work spam prevention │ Done
│ 6 │ Entropy enforcement │ Done
│ 7 │ Test coverage > 90% │ Done (283 tests)
│ 7 │ Test coverage > 90% │ Done (301 tests)
│ 8 │ Documentation complete │ Done
└───┴─────────────────────────────────┴────────────────────────────────────┘
```
@@ -188,6 +189,7 @@ These features will not be implemented:
| 2024-12 | Memory leak CI job | tracemalloc-based leak detection in CI
| 2024-12 | systemd service unit | Security-hardened deployment example
| 2024-12 | Rate limit headers | X-RateLimit-* on 201/429 responses
| 2024-12 | Pentest remediation complete | 15 security hardening items from formal review
## Review Schedule

8
SECURITY.md
View File

@@ -215,10 +215,8 @@ FLASKPASTE_POW_SECRET="$(openssl rand -hex 32)"
## Known Limitations
1. **No rate limiting per IP** - Delegated to reverse proxy
2. **No user accounts** - PKI handles identity
3. **No audit log** - Standard request logging only
4. **Single-node only** - SQLite limits horizontal scaling
1. **No user accounts** - PKI handles identity
2. **Single-node only** - SQLite limits horizontal scaling
## Reporting Vulnerabilities
@@ -260,6 +258,8 @@ Security fixes are released as soon as possible. Subscribe to repository release
| Version | Security Changes |
|---------|------------------|
| 1.5.0 | Pentest remediation (15 items): timing attack prevention, serial collision detection, lookup rate limiting, content hash locking, anti-flood memory limits, CLI path validation, SSL hostname verification, config permission checks |
| 1.4.0 | Anti-flood dynamic PoW, IP-based rate limiting, audit logging |
| 1.2.0 | Password protection with PBKDF2, code modernization |
| 1.1.0 | E2E encryption, entropy enforcement, burn-after-read |
| 1.0.0 | Initial release with core security features |

6
TASKLIST.md
View File

@@ -28,6 +28,12 @@ Prioritized, actionable tasks. Each task is small and completable in one session
| Date | Task
|------------|--------------------------------------------------------------
| 2024-12 | Complete pentest remediation (CRYPTO-001, TIMING-001)
| 2024-12 | Complete pentest remediation (HASH-001, ENUM-001)
| 2024-12 | Complete pentest remediation (FLOOD-001, CLI-002, CLI-003, AUDIT-001)
| 2024-12 | Complete pentest remediation (RATE-001, RATE-002, CLI-001)
| 2024-12 | Complete pentest remediation (PROXY-001, BURN-001)
| 2024-12 | Create comprehensive penetration testing plan
| 2024-12 | Add systemd service unit example
| 2024-12 | Add rate limit headers (X-RateLimit-*)
| 2024-12 | Integrate PKI audit logging (CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE)

1
TODO.md
View File

@@ -17,6 +17,7 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
## Observations
- Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
- PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
- SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)
- Revoked certificates are soft-deleted (status tracked, not removed)