claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity

docs: complete penetration testing status update

Browse Source 
All pentest items now complete:
- CLI security audit (clipboard, permissions)
- DoS memory exhaustion (fixed lookup rate limit)
- Race conditions (all protected by locks)
This commit is contained in:
Username
2025-12-26 00:17:11 +01:00
parent 4f5da8ca66
commit c1d2e39b09
1 changed files with 29 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
documentation/security-testing-status.md
View File

@@ -119,13 +119,34 @@ Not tested (no signature defined):
```
[x] Race condition: Burn-after-read via HEAD then GET (SAFE)
[ ] Race condition: Content hash deduplication counter
[ ] DoS: Memory exhaustion via unique IP rate limits
[ ] DoS: Anti-flood list growth under load
[ ] CLI: Clipboard command injection validation
[ ] CLI: Certificate file permission exposure
[x] Race condition: Content hash deduplication counter (SAFE - locked)
[x] DoS: Memory exhaustion via unique IP rate limits (FIXED)
[x] DoS: Anti-flood list growth under load (SAFE - bounded)
[x] CLI: Clipboard command injection validation (SAFE)
[x] CLI: Certificate file permission exposure (SAFE - 0o600)
```
### CLI Security Audit (2025-12-26)
| Check | Status |
|-------|--------|
| Trusted clipboard path validation | PASS |
| PATH injection prevention | PASS |
| Subprocess safety (no shell=True) | PASS |
| Config permission warnings | PASS |
| Key file permissions (0o600) | PASS |
| Symlink attacks | LOW RISK |
### Memory Exhaustion Tests (2025-12-26)
| Component | Protection | Status |
|-----------|------------|--------|
| Anti-flood list | ANTIFLOOD_MAX_ENTRIES (10000) | PASS |
| Rate limit dict | RATE_LIMIT_MAX_ENTRIES (10000) | PASS |
| Lookup rate limit | LOOKUP_RATE_LIMIT_MAX_ENTRIES (10000) | FIXED |
| Content dedup | Database + PoW | PASS |
| Concurrent access | Thread-safe with locks | PASS |
### Documentation
```
@@ -173,6 +194,9 @@ python /tmp/prod_fuzz.py
| Constant-time password check | PBKDF2 600k iterations | Yes |
| Burn-after-read race condition | HEAD triggers deletion | Yes |
| RIFF container detection | Subtype check (WEBP/AVI/WAVE) | Yes |
| Clipboard command injection | Trusted path validation | Yes |
| Memory exhaustion prevention | Max entries on all dicts | Yes |
| Race condition protection | Threading locks on counters | Yes |
---