username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: implement pentest remediation (RATE-002, CLI-001)
Some checks failed
CI / Lint & Format (push) Failing after 16s
Details
CI / Tests (push) Has been skipped
Details
CI / Memory Leak Check (push) Has been skipped
Details
CI / Security Scan (push) Successful in 23s
Details

Browse Source 
RATE-002: Proactive rate limit cleanup when entries exceed threshold
- Add RATE_LIMIT_CLEANUP_THRESHOLD config (default 0.8)
- Trigger cleanup before hitting hard limit
- Prevents memory exhaustion under sustained load

CLI-001: Validate clipboard tool paths against trusted directories
- Add TRUSTED_CLIPBOARD_DIRS for Unix system paths
- Add TRUSTED_WINDOWS_PATTERNS for Windows validation
- Reject tools in user-writable locations (PATH hijack prevention)
- Use absolute paths in subprocess calls
This commit is contained in:
Username
2025-12-24 22:03:17 +01:00
parent 89eee3378a
commit 1fbb69d7f9
6 changed files with 240 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
fpaste
View File

@@ -455,12 +455,65 @@ CLIPBOARD_WRITE_COMMANDS = [
("wl-copy", ["wl-copy"]),
]
# CLI-001: Trusted directories for clipboard tools (system paths only)
# Prevents command injection via malicious PATH manipulation
TRUSTED_CLIPBOARD_DIRS = frozenset(
{
"/usr/bin",
"/usr/local/bin",
"/bin",
"/opt/homebrew/bin", # macOS Homebrew
"/usr/X11/bin",
"/usr/X11R6/bin",
}
)
# Windows system directories (checked case-insensitively)
TRUSTED_WINDOWS_PATTERNS = (
"\\windows\\",
"\\system32\\",
"\\syswow64\\",
"\\windowsapps\\",
)
def is_trusted_clipboard_path(path: str) -> bool:
"""Check if clipboard tool path is in a trusted system directory.
CLI-001: Validates that resolved clipboard tool paths are in expected
system locations to prevent command injection via PATH manipulation.
"""
if not path:
return False
resolved = Path(path).resolve()
parent = str(resolved.parent)
# Check Unix trusted directories
if parent in TRUSTED_CLIPBOARD_DIRS:
return True
# Check Windows paths (case-insensitive)
parent_lower = parent.lower()
for pattern in TRUSTED_WINDOWS_PATTERNS:
if pattern in parent_lower:
return True
# Also allow Windows Program Files paths
return "\\program files" in parent_lower
def find_clipboard_command(commands: list[tuple[str, list[str]]]) -> list[str] | None:
"""Find first available clipboard command."""
"""Find first available clipboard command in trusted directories.
CLI-001: Validates that found commands are in trusted system directories
to prevent command injection via PATH manipulation.
"""
for tool_name, cmd in commands:
if shutil.which(tool_name):
return cmd
tool_path = shutil.which(tool_name)
if tool_path and is_trusted_clipboard_path(tool_path):
# Use absolute path for security
return [tool_path, *cmd[1:]]
return None