claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity
25 Commits 1 Branch 0 Tags
9da33f786ea4c3d30ed464cfeb425b06590d672a
Commit Graph

25 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Username
9da33f786e fix lint issues across codebase 2025-12-20 17:20:27 +01:00
Username
adbb5be5c0 add security tooling and development workflow 
- ruff for linting and formatting
- bandit for security scanning
- mypy for type checking
- pip-audit for dependency vulnerabilities
- Makefile with lint/format/security/test targets
 2025-12-20 17:20:21 +01:00
Username
4e38517faf pki: add minimal certificate authority 
- CA generation with encrypted private key storage (AES-256-GCM)
- Client certificate issuance with configurable validity
- Certificate revocation with status tracking
- SHA1 fingerprint integration with existing mTLS auth
- API endpoints: /pki/status, /pki/ca, /pki/issue, /pki/revoke
- CLI commands: fpaste pki status/issue/revoke
- Comprehensive test coverage
 2025-12-20 17:20:15 +01:00
Username
7deba711d4 entropy: exempt small content from check 
Small data has unreliable entropy measurement due to sample size.
MIN_ENTROPY_SIZE (default 256 bytes) sets the threshold.
 2025-12-20 08:48:13 +01:00
Username
8addf2d9e8 add entropy enforcement for optional encryption requirement 
Shannon entropy check rejects low-entropy content when MIN_ENTROPY > 0.
Encrypted data ~7.5-8.0 bits/byte, plaintext ~4.0-5.0 bits/byte.
Configurable via FLASKPASTE_MIN_ENTROPY environment variable.
 2025-12-20 06:57:50 +01:00
Username
9ccd4225dd fpaste: add E2E encryption support 
-e/--encrypt flag encrypts content with AES-256-GCM before upload.
Key is appended to URL fragment (#...), never sent to server.
Auto-detects key fragment on retrieval and decrypts locally.
 2025-12-20 06:51:35 +01:00
Username
964698428c routes: use detected base URL in usage examples 2025-12-20 05:27:10 +01:00
Username
677d3e5ba1 client: also update help text with detected URL 2025-12-20 05:23:00 +01:00
Username
d6fb2e92af client: auto-detect server URL from request headers 2025-12-20 05:21:55 +01:00
Username
2272b1ff12 add /client endpoint to download fpaste CLI 2025-12-20 05:19:20 +01:00
Username
274648e1f7 fix: return relative URLs in responses, prefix only for docs 2025-12-20 04:48:55 +01:00
Username
5770698847 add URL_PREFIX config for reverse proxy path support 2025-12-20 04:43:36 +01:00
Username
c76a158c18 bump version to 1.1.0, centralize VERSION constant 2025-12-20 04:21:06 +01:00
Username
ccfd8509cc docs: add pow, cli client, and head method documentation 2025-12-20 04:09:08 +01:00
Username
efd48c5563 pow: increase default difficulty to 20 2025-12-20 04:05:35 +01:00
Username
8fdeeaed9c add proof-of-work spam prevention 
Clients must solve a SHA256 hash puzzle before paste creation.
Configurable via FLASKPASTE_POW_DIFFICULTY (0 = disabled, 16 = default).
Challenge tokens expire after FLASKPASTE_POW_TTL seconds (default 300).
 2025-12-20 04:03:59 +01:00
Username
682df17257 add command-line client 2025-12-20 03:57:41 +01:00
Username
7f3c37f271 tasklist: mark head method complete 2025-12-20 03:47:35 +01:00
Username
4532b9b1d5 add HEAD method for paste endpoints 2025-12-20 03:47:20 +01:00
Username
4007f0ea65 tasklist: mark wal mode complete 2025-12-20 03:45:05 +01:00
Username
9c5b1d9804 enable sqlite wal mode for file databases 2025-12-20 03:44:38 +01:00
Username
a07f1e662e add gitea ci workflow 2025-12-20 03:31:43 +01:00
Username
4cb29fa3d2 add project structure files 2025-12-20 03:31:37 +01:00
Username
202e927918 add content-hash dedup for abuse prevention 
Throttle repeated submissions of identical content using SHA256 hash
tracking. Configurable via FLASKPASTE_DEDUP_WINDOW and FLASKPASTE_DEDUP_MAX.
 2025-12-20 03:31:20 +01:00
Username
8f9868f0d9 flaskpaste: initial commit with security hardening 
Features:
- REST API for text/binary pastes with MIME detection
- Client certificate auth via X-SSL-Client-SHA1 header
- SQLite with WAL mode for concurrent access
- Automatic paste expiry with LRU cleanup

Security:
- HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- Cache-Control: no-store for sensitive responses
- X-Request-ID tracing for log correlation
- X-Proxy-Secret validation for defense-in-depth
- Parameterized queries, input validation
- Size limits (3 MiB anon, 50 MiB auth)

Includes /health endpoint, container support, and 70 tests.
 2025-12-16 04:42:18 +01:00