security: implement pentest remediation (PROXY-001, BURN-001, RATE-001)

PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production - validate_security_config() checks for missing proxy secret - Additional warning when PKI enabled without proxy secret - Tests for security configuration validation BURN-001: HEAD requests now trigger burn-after-read deletion - Prevents attacker from probing paste existence before retrieval - Updated test to verify new behavior RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage - Default 10000 unique IPs tracked - Prunes oldest entries when limit exceeded - Protects against memory exhaustion DoS Test count: 284 -> 291 (7 new security tests)
2025-12-24 21:42:15 +01:00
parent bebc6e0354
commit 89eee3378a
10 changed files with 271 additions and 15 deletions
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -1,6 +1,105 @@
 """Security-focused tests for FlaskPaste."""

 import json
+import logging
+
+
+class TestSecurityConfigValidation:
+    """Tests for security configuration validation at startup."""
+
+    def test_proxy_secret_warning_in_production(self, app, caplog):
+        """Warning logged when TRUSTED_PROXY_SECRET not set in production mode."""
+        from app import validate_security_config
+
+        # Simulate production: debug=False, TESTING=False
+        original_debug = app.debug
+        original_testing = app.config.get("TESTING")
+        original_secret = app.config.get("TRUSTED_PROXY_SECRET", "")
+
+        try:
+            app.debug = False
+            app.config["TESTING"] = False
+            app.config["TRUSTED_PROXY_SECRET"] = ""
+
+            with caplog.at_level(logging.WARNING):
+                validate_security_config(app)
+
+            assert "TRUSTED_PROXY_SECRET is not set" in caplog.text
+            assert "SECURITY WARNING" in caplog.text
+        finally:
+            app.debug = original_debug
+            app.config["TESTING"] = original_testing
+            app.config["TRUSTED_PROXY_SECRET"] = original_secret
+
+    def test_no_warning_when_proxy_secret_set(self, app, caplog):
+        """No warning when TRUSTED_PROXY_SECRET is properly configured."""
+        from app import validate_security_config
+
+        original_debug = app.debug
+        original_testing = app.config.get("TESTING")
+        original_secret = app.config.get("TRUSTED_PROXY_SECRET", "")
+
+        try:
+            app.debug = False
+            app.config["TESTING"] = False
+            app.config["TRUSTED_PROXY_SECRET"] = "my-secure-secret"
+
+            with caplog.at_level(logging.WARNING):
+                validate_security_config(app)
+
+            assert "TRUSTED_PROXY_SECRET is not set" not in caplog.text
+        finally:
+            app.debug = original_debug
+            app.config["TESTING"] = original_testing
+            app.config["TRUSTED_PROXY_SECRET"] = original_secret
+
+    def test_no_warning_in_debug_mode(self, app, caplog):
+        """No warning in debug mode even without proxy secret."""
+        from app import validate_security_config
+
+        original_debug = app.debug
+        original_secret = app.config.get("TRUSTED_PROXY_SECRET", "")
+        original_pki = app.config.get("PKI_ENABLED", False)
+
+        try:
+            app.debug = True
+            app.config["TRUSTED_PROXY_SECRET"] = ""
+            app.config["PKI_ENABLED"] = False
+
+            caplog.clear()
+            with caplog.at_level(logging.WARNING):
+                validate_security_config(app)
+
+            assert "TRUSTED_PROXY_SECRET is not set" not in caplog.text
+        finally:
+            app.debug = original_debug
+            app.config["TRUSTED_PROXY_SECRET"] = original_secret
+            app.config["PKI_ENABLED"] = original_pki
+
+    def test_pki_warning_without_proxy_secret(self, app, caplog):
+        """Warning when PKI enabled but no proxy secret."""
+        from app import validate_security_config
+
+        original_debug = app.debug
+        original_testing = app.config.get("TESTING")
+        original_secret = app.config.get("TRUSTED_PROXY_SECRET", "")
+        original_pki = app.config.get("PKI_ENABLED", False)
+
+        try:
+            app.debug = False
+            app.config["TESTING"] = False
+            app.config["TRUSTED_PROXY_SECRET"] = ""
+            app.config["PKI_ENABLED"] = True
+
+            with caplog.at_level(logging.WARNING):
+                validate_security_config(app)
+
+            assert "PKI is enabled but TRUSTED_PROXY_SECRET is not set" in caplog.text
+        finally:
+            app.debug = original_debug
+            app.config["TESTING"] = original_testing
+            app.config["TRUSTED_PROXY_SECRET"] = original_secret
+            app.config["PKI_ENABLED"] = original_pki


 class TestSecurityHeaders: