security: implement HASH-001 and ENUM-001 remediations

HASH-001: Add threading lock to content hash deduplication
- Prevents race condition between SELECT and UPDATE
- Ensures accurate dedup counting under concurrent load

ENUM-001: Add rate limiting to paste lookups
- Separate rate limiter for GET/HEAD on paste endpoints
- Default 60 requests/minute per IP (configurable)
- Prevents brute-force paste ID enumeration attacks

app/config.py

@@ -108,6 +108,16 @@ class Config:
         os.environ.get("FLASKPASTE_RATE_CLEANUP_THRESHOLD", "0.8")
     )
 
+    # ENUM-001: Rate limiting for paste lookups (prevents enumeration attacks)
+    # Separate from creation limits - allows more reads but prevents brute-force
+    LOOKUP_RATE_LIMIT_ENABLED = os.environ.get("FLASKPASTE_LOOKUP_RATE_LIMIT", "1").lower() in (
+        "1",
+        "true",
+        "yes",
+    )
+    LOOKUP_RATE_LIMIT_WINDOW = int(os.environ.get("FLASKPASTE_LOOKUP_RATE_WINDOW", "60"))
+    LOOKUP_RATE_LIMIT_MAX = int(os.environ.get("FLASKPASTE_LOOKUP_RATE_MAX", "60"))
+
     # Audit Logging
     # Track security-relevant events (paste creation, deletion, rate limits, etc.)
     AUDIT_ENABLED = os.environ.get("FLASKPASTE_AUDIT", "1").lower() in ("1", "true", "yes")
@@ -154,6 +164,11 @@ class TestingConfig(Config):
     RATE_LIMIT_WINDOW = 1
     RATE_LIMIT_MAX = 100
 
+    # Relaxed lookup rate limiting for tests (ENUM-001)
+    LOOKUP_RATE_LIMIT_ENABLED = True
+    LOOKUP_RATE_LIMIT_WINDOW = 1
+    LOOKUP_RATE_LIMIT_MAX = 1000
+
     # PKI testing configuration
     PKI_ENABLED = True
     PKI_CA_PASSWORD = "test-ca-password"