username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: implement pentest remediation (RATE-002, CLI-001)
Some checks failed
CI / Lint & Format (push) Failing after 16s
Details
CI / Tests (push) Has been skipped
Details
CI / Memory Leak Check (push) Has been skipped
Details
CI / Security Scan (push) Successful in 23s
Details

Browse Source 
RATE-002: Proactive rate limit cleanup when entries exceed threshold
- Add RATE_LIMIT_CLEANUP_THRESHOLD config (default 0.8)
- Trigger cleanup before hitting hard limit
- Prevents memory exhaustion under sustained load

CLI-001: Validate clipboard tool paths against trusted directories
- Add TRUSTED_CLIPBOARD_DIRS for Unix system paths
- Add TRUSTED_WINDOWS_PATTERNS for Windows validation
- Reject tools in user-writable locations (PATH hijack prevention)
- Use absolute paths in subprocess calls
This commit is contained in:
Username
2025-12-24 22:03:17 +01:00
parent 89eee3378a
commit 1fbb69d7f9
6 changed files with 240 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
PENTEST_PLAN.md
View File

@@ -245,8 +245,8 @@ Testing uses specialized Claude subagents for different security domains, with f
- [x] **BURN-001**: Track HEAD requests as paste access for burn-after-read
- [x] **BURN-002**: Add test for HEAD-then-GET race condition
- [x] **RATE-001**: Add maximum entries limit to rate limit storage
- [ ] **RATE-002**: Add automatic cleanup trigger when threshold exceeded
- [ ] **CLI-001**: Validate clipboard tool paths against allow-list
- [x] **RATE-002**: Add automatic cleanup trigger when threshold exceeded
- [x] **CLI-001**: Validate clipboard tool paths against allow-list
### Medium-term (Medium)