claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity

add minimum size and binary content enforcement

Browse Source
This commit is contained in:
Username
2025-12-20 17:46:49 +01:00
parent 01ee337936
commit 28ee2bae31
2 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
app/api/routes.py
View File

@@ -327,6 +327,29 @@ def detect_mime_type(content: bytes, content_type: str | None = None) -> str:
return "application/octet-stream"
def is_recognizable_format(content: bytes) -> tuple[bool, str | None]:
"""Check if content is a recognizable (likely unencrypted) format.
Returns (is_recognizable, detected_format).
Used to enforce encryption by rejecting known formats.
"""
# Check magic bytes
for magic, mime in MAGIC_SIGNATURES.items():
if content.startswith(magic):
if magic == b"RIFF" and len(content) >= 12 and content[8:12] != b"WEBP":
continue
return True, mime
# Check if valid UTF-8 text (plaintext)
try:
content.decode("utf-8")
return True, "text/plain"
except UnicodeDecodeError:
pass
return False, None
def generate_paste_id(content: bytes) -> str:
"""Generate unique paste ID from content hash and timestamp."""
data = content + str(time.time_ns()).encode()
@@ -425,6 +448,17 @@ class IndexView(MethodView):
authenticated=owner is not None,
)
# Minimum size check (enforces encryption overhead)
min_size = current_app.config.get("MIN_PASTE_SIZE", 0)
if min_size > 0 and content_size < min_size:
return error_response(
"Paste too small",
400,
size=content_size,
min_size=min_size,
hint="Encrypt content before uploading (-e flag in fpaste)",
)
# Entropy check
min_entropy = current_app.config.get("MIN_ENTROPY", 0)
min_entropy_size = current_app.config.get("MIN_ENTROPY_SIZE", 256)
@@ -445,6 +479,22 @@ class IndexView(MethodView):
hint="Encrypt content before uploading (-e flag in fpaste)",
)
# Binary content requirement (reject recognizable formats)
if current_app.config.get("REQUIRE_BINARY", False):
is_recognized, detected_format = is_recognizable_format(content)
if is_recognized:
current_app.logger.warning(
"Recognizable format rejected: %s from=%s",
detected_format,
request.remote_addr,
)
return error_response(
"Recognizable format not allowed",
400,
detected=detected_format,
hint="Encrypt content before uploading (-e flag in fpaste)",
)
# Deduplication check
content_hash = hashlib.sha256(content).hexdigest()
is_allowed, dedup_count = check_content_hash(content_hash)

8
app/config.py
View File

@@ -15,6 +15,9 @@ class Config:
PASTE_ID_LENGTH = int(os.environ.get("FLASKPASTE_ID_LENGTH", "12"))
# Paste size limits
# Minimum size enforces encryption overhead (IV + tag + ciphertext)
# AES-256-GCM: 12 byte IV + 16 byte tag = 28 bytes minimum, ~40 base64
MIN_PASTE_SIZE = int(os.environ.get("FLASKPASTE_MIN_SIZE", 0)) # 0 = disabled
MAX_PASTE_SIZE_ANON = int(os.environ.get("FLASKPASTE_MAX_ANON", 3 * 1024 * 1024)) # 3MiB
MAX_PASTE_SIZE_AUTH = int(os.environ.get("FLASKPASTE_MAX_AUTH", 50 * 1024 * 1024)) # 50MiB
MAX_CONTENT_LENGTH = MAX_PASTE_SIZE_AUTH # Flask request limit
@@ -36,6 +39,11 @@ class Config:
# Minimum size for entropy check (small data has unreliable entropy measurement)
MIN_ENTROPY_SIZE = int(os.environ.get("FLASKPASTE_MIN_ENTROPY_SIZE", 256))
# Require binary content (reject recognizable formats)
# When enabled, rejects content with known magic bytes (PNG, JPEG, PDF, etc.)
# and valid UTF-8 text. Only application/octet-stream allowed.
REQUIRE_BINARY = os.environ.get("FLASKPASTE_REQUIRE_BINARY", "0").lower() in ("1", "true", "yes")
# Reverse proxy trust configuration
# SECURITY: The X-SSL-Client-SHA1 header is trusted for authentication.
# This header MUST only come from a trusted reverse proxy that validates