ansible/flaskpaste
1
0
Fork 0
forked from claw/flaskpaste
Code Pull Requests Activity

security: implement quick win remediations (FLOOD-001, CLI-002, CLI-003, AUDIT-001)

Browse Source 
FLOOD-001: Cap anti-flood request list at configurable max entries
- Add ANTIFLOOD_MAX_ENTRIES config (default 10000)
- Prune oldest entries when limit exceeded

CLI-002: Explicitly set SSL hostname verification
- Add ctx.check_hostname = True and ctx.verify_mode = CERT_REQUIRED
- Defense in depth (create_default_context sets these by default)

CLI-003: Warn on insecure config file permissions
- Check if config file is world-readable
- Print warning to stderr if permissions too open

AUDIT-001: Already implemented - query has LIMIT/OFFSET with 500 max
This commit is contained in:
Username
2025-12-24 23:02:55 +01:00
parent 1fbb69d7f9
commit da1beca893
4 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/api/routes.py
View File

@@ -98,11 +98,18 @@ def record_antiflood_request() -> None:
decay = current_app.config["ANTIFLOOD_DECAY"]
base = current_app.config["POW_DIFFICULTY"]
max_entries = current_app.config.get("ANTIFLOOD_MAX_ENTRIES", 10000)
with _antiflood_lock:
# Clean old requests
cutoff = now - window
_antiflood_requests[:] = [t for t in _antiflood_requests if t > cutoff]
# FLOOD-001: Cap list size to prevent memory exhaustion
if len(_antiflood_requests) >= max_entries:
# Keep only the most recent half
_antiflood_requests[:] = _antiflood_requests[-(max_entries // 2) :]
# Record this request
_antiflood_requests.append(now)
count = len(_antiflood_requests)

2
app/config.py
View File

@@ -84,6 +84,8 @@ class Config:
ANTIFLOOD_STEP = int(os.environ.get("FLASKPASTE_ANTIFLOOD_STEP", "2")) # bits per step
ANTIFLOOD_MAX = int(os.environ.get("FLASKPASTE_ANTIFLOOD_MAX", "28")) # max difficulty
ANTIFLOOD_DECAY = int(os.environ.get("FLASKPASTE_ANTIFLOOD_DECAY", "60")) # seconds to decay
# FLOOD-001: Maximum entries in anti-flood request list (memory DoS protection)
ANTIFLOOD_MAX_ENTRIES = int(os.environ.get("FLASKPASTE_ANTIFLOOD_MAX_ENTRIES", "10000"))
# URL prefix for reverse proxy deployments (e.g., "/paste" for mymx.me/paste)
URL_PREFIX = os.environ.get("FLASKPASTE_URL_PREFIX", "").rstrip("/")