claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity
177 Commits 1 Branch 0 Tags
aba81f908ea7574f6c2963274ec3c528b88e461a
Commit Graph

177 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Username
aba81f908e containerfile: force upgrade pip and jaraco.context post-install 2026-01-20 08:16:49 +01:00
Username
e4b313041e containerfile: pin pip>=25.3 to fix CVE-2025-8869 2026-01-20 08:12:22 +01:00
Username
9c4c907f75 fpaste: add configurable endpoint prefix 
- Add endpoint config key (FLASKPASTE_ENDPOINT env var)
- Add build_url() helper for URL construction
- Change default server to https://paste.mymx.me
- Support endpoint prefix in config file
 2026-01-19 23:58:42 +01:00
Username
0f5742ccc2 containerfile: switch slim image to alpine base 
Debian distroless had 5 critical CVEs (unfixed in Debian 12).
Alpine has active security patches and smaller footprint.
 2026-01-19 23:58:34 +01:00
Username
54190487c8 kubernetes: use slim distroless image 2026-01-19 23:04:06 +01:00
Username
10c94f29dd ci: fix vuln count to exclude header line 2026-01-19 22:58:58 +01:00
Username
89b019d7df ci: fix vuln count parsing in harbor scan 2026-01-19 22:54:42 +01:00
Username
9302939890 ci: fix harbor-ctl scan/vulns command syntax 2026-01-19 22:49:18 +01:00
Username
c81988fc1a ci: add delay before harbor scan for image indexing 2026-01-19 22:47:02 +01:00
Username
46875fba0c ci: fresh run 2026-01-19 22:36:09 +01:00
Username
1d90de95ac ci: retrigger after runner fix 2026-01-19 22:24:45 +01:00
Username
adb3d39d71 ci: retrigger build 2026-01-19 21:56:21 +01:00
Username
5c97d76021 ci: add hypothesis fuzz testing job 2026-01-19 19:54:33 +01:00
Username
a206c9939c ci: build and push slim image variant 2026-01-19 19:52:57 +01:00
Username
fc7d3df308 add distroless slim container image 2026-01-19 19:52:56 +01:00
Username
756d83e066 api: remove prefix from index response 2026-01-19 19:40:04 +01:00
Username
402df5f535 quadlet: remove /paste prefix for root deployment 2026-01-19 19:38:50 +01:00
Username
af1f53137f config: serve at paste.mymx.me root instead of /paste prefix 
Migrate from harbor.mymx.me/paste to dedicated paste.mymx.me host.
 2026-01-18 20:27:12 +01:00
Username
48094c0bee ci: add Harbor vulnerability scan after image push 2026-01-18 17:23:19 +01:00
Username
e0310339ee docs: update for k3s deployment and harbor.mymx.me 2026-01-18 17:07:49 +01:00
Username
435661ae38 kubernetes: update harbor url and health probe paths 
- use harbor.mymx.me instead of old internal IP
- fix liveness/readiness probes to use /health endpoint
 2026-01-18 16:54:59 +01:00
Username
ee0e1211a6 containerfile: remove vendored jaraco.context dist-info 
setuptools vendors jaraco.context 5.3.0 internally; Trivy detects
this even with 6.1.0 installed separately. Remove the vendored
dist-info to silence the false positive.
 2026-01-18 16:29:41 +01:00
Username
278ad73778 containerfile: fix jaraco.context CVE and consolidate 
- explicitly install jaraco.context>=6.1.0 in runtime stage
  to override vendored copy in setuptools (GHSA-58pv-8j8x-9vj2)
- remove redundant installs from builder (requirements.txt
  already pins setuptools>=80.0 and jaraco.context>=6.1.0)
- consolidate runtime pip install into single command
- remove redundant comments
 2026-01-18 12:09:53 +01:00
Username
cc1bba9a57 container: upgrade system setuptools to fix jaraco.context CVE 2026-01-18 11:12:17 +01:00
Username
6c0e2ab07f container: use apt instead of apt-get 2026-01-18 10:46:47 +01:00
Username
ba0e591dda container: clean apt caches and upgrade setuptools for CVE fix 2026-01-18 10:44:24 +01:00
Username
eb60193348 ci: use Containerfile for image build 2026-01-18 10:30:26 +01:00
Username
80edae3e63 ci: run build-push on host instead of container 2026-01-18 10:26:13 +01:00
Username
195752fe75 ci: fix test file references and hardcoded paths 
- Remove non-existent test_mime_detection.py from unit tests
- Use relative paths in security tests for container compatibility
 2026-01-18 10:23:31 +01:00
Username
3be2fd6cf6 tests: fix mypy type errors in security tests 2026-01-18 10:18:09 +01:00
Username
97bf955820 tests: fix ruff lint errors in security tests 2026-01-18 10:04:27 +01:00
Username
661dab4a81 ci: add container image build and push to harbor 2026-01-18 09:57:32 +01:00
Username
9eee14e918 docs: update harbor integration status and remove hardcoded credentials 2026-01-18 09:57:27 +01:00
Username
0fc45587cd deps: pin transitive dependencies for security fixes 
- urllib3>=2.6.3 (CVE-2025-43859)
- jaraco.context>=6.1.0 (GHSA-58pv-8j8x-9vj2)
- setuptools>=80.0 (vendored jaraco.context)

reduces High vulnerabilities from 6 to 3
 2026-01-18 09:16:08 +01:00
Username
a736bce346 docs: add kubernetes deployment guide 2026-01-17 16:27:56 +01:00
Username
7812af2e47 docs: add harbor registry guide 2026-01-17 16:27:51 +01:00
Username
9b1cddd7f1 kubernetes: use NodePort for external access 
- change service type from ClusterIP to NodePort (30500)
- enables HAProxy routing from mymx to k8s cluster
 2026-01-17 16:27:44 +01:00
Username
f6a69b0b55 add Kubernetes deployment manifest 2026-01-17 13:59:01 +01:00
Username
b9f0283a3b add Podman Quadlet deployment 
- flaskpaste.container for rootless systemd integration
- UserNS mapping for bind mount permissions
- README updated with deployment instructions
 2026-01-17 13:58:52 +01:00
Username
379178e409 exempt /health from rate limiting 
Health check endpoint was being rate-limited (60/hour), causing
container health checks (every 30s = 120/hour) to fail with 429.

Uses flask-limiter's request_filter to bypass rate limiting for
the health endpoint, supporting URL_PREFIX configuration.
 2026-01-08 20:12:03 +01:00
Username
6da80aec76 docs: update for simplified MIME detection (v1.5.1) 2025-12-26 19:52:40 +01:00
Username
a7f1c09634 bump version to 1.5.1 2025-12-26 19:15:20 +01:00
Username
28e31f0b37 remove obsolete MIME detection tests 2025-12-26 19:06:35 +01:00
Username
bc751d1b8c validate MIN_ENTROPY config bounds [0, 8] 2025-12-26 18:47:06 +01:00
Username
3cda73c8b0 simplify MIME detection to text/binary only 
Remove magic byte detection in favor of simple UTF-8 validation:
- text/plain for valid UTF-8 content
- application/octet-stream for binary data

Security maintained via headers (X-Content-Type-Options: nosniff, CSP).
Magic signatures preserved as comments for future reference.

Disabled test files:
- test_mime_detection.py.disabled (magic-dependent tests)
- test_polyglot.py.disabled (polyglot format tests)

For full MIME detection, consider using the `filetype` library.
 2025-12-26 18:44:24 +01:00
Username
fb45005766 add polyglot generator and MIME confusion tests 
- polyglot_generator.py: creates files valid in multiple formats
- 41 new tests verify MIME detection handles polyglots correctly
- Document rate limiting behavior under attack
- Clarify DMG/ISO/DOCX detection limitations
 2025-12-26 18:25:46 +01:00
Username
98694ba1cc docs: add comprehensive threat model 
STRIDE analysis covering:
- System architecture and trust boundaries
- Attack surface analysis (10 entry points)
- Threat actors (anonymous, authenticated, operator, sophisticated)
- 20+ threats with mitigations across STRIDE categories
- Security controls matrix
- MIME polyglot attack mitigations
- Cryptographic controls
- Residual risks and known limitations
- Incident response guidance
 2025-12-26 17:10:41 +01:00
Username
dc2da67fb3 add Hypothesis property-based MIME detection tests 
- test_magic_prefix_detection: verify all signatures with random suffix
- test_random_binary_never_crashes: random data never crashes
- test_partial_magic_no_false_match: truncated magic handled safely
- test_magic_not_at_start_ignored: only detect magic at offset 0
 2025-12-26 17:09:02 +01:00
Username
03bcb157cc add HEIC/HEIF/AVIF MIME detection signatures 
- Add ftyp box signatures for heic, mif1, and avif brands
- Add tests for new image formats
- Fix nested if lint warning in lookup rate limit
- Update security docs: MKV uses WebM header, TAR needs offset 257
 2025-12-26 17:04:51 +01:00
Username
93a4dd2f97 ci: add security headers audit to pipeline 2025-12-26 16:56:03 +01:00