add minimum size and binary content enforcement

2025-12-20 17:46:49 +01:00
parent 01ee337936
commit 28ee2bae31
2 changed files with 58 additions and 0 deletions
--- a/app/config.py
+++ b/app/config.py
@@ -15,6 +15,9 @@ class Config:
    PASTE_ID_LENGTH = int(os.environ.get("FLASKPASTE_ID_LENGTH", "12"))

    # Paste size limits
+    # Minimum size enforces encryption overhead (IV + tag + ciphertext)
+    # AES-256-GCM: 12 byte IV + 16 byte tag = 28 bytes minimum, ~40 base64
+    MIN_PASTE_SIZE = int(os.environ.get("FLASKPASTE_MIN_SIZE", 0))  # 0 = disabled
    MAX_PASTE_SIZE_ANON = int(os.environ.get("FLASKPASTE_MAX_ANON", 3 * 1024 * 1024))  # 3MiB
    MAX_PASTE_SIZE_AUTH = int(os.environ.get("FLASKPASTE_MAX_AUTH", 50 * 1024 * 1024))  # 50MiB
    MAX_CONTENT_LENGTH = MAX_PASTE_SIZE_AUTH  # Flask request limit
@@ -36,6 +39,11 @@ class Config:
    # Minimum size for entropy check (small data has unreliable entropy measurement)
    MIN_ENTROPY_SIZE = int(os.environ.get("FLASKPASTE_MIN_ENTROPY_SIZE", 256))

+    # Require binary content (reject recognizable formats)
+    # When enabled, rejects content with known magic bytes (PNG, JPEG, PDF, etc.)
+    # and valid UTF-8 text. Only application/octet-stream allowed.
+    REQUIRE_BINARY = os.environ.get("FLASKPASTE_REQUIRE_BINARY", "0").lower() in ("1", "true", "yes")
+
    # Reverse proxy trust configuration
    # SECURITY: The X-SSL-Client-SHA1 header is trusted for authentication.
    # This header MUST only come from a trusted reverse proxy that validates