add content-hash dedup for abuse prevention

Throttle repeated submissions of identical content using SHA256 hash tracking. Configurable via FLASKPASTE_DEDUP_WINDOW and FLASKPASTE_DEDUP_MAX.
2025-12-20 03:31:20 +01:00
parent 8f9868f0d9
commit 202e927918
6 changed files with 382 additions and 1 deletions
--- a/app/api/routes.py
+++ b/app/api/routes.py
@@ -9,7 +9,7 @@ import time
 from flask import Response, current_app, request

 from app.api import bp
-from app.database import get_db
+from app.database import check_content_hash, get_db

 # Valid paste ID pattern (hexadecimal only)
 PASTE_ID_PATTERN = re.compile(r"^[a-f0-9]+$")
@@ -205,6 +205,22 @@ def create_paste():
            "authenticated": owner is not None,
        }, 413)

+    # Check content deduplication threshold
+    content_hash = hashlib.sha256(content).hexdigest()
+    is_allowed, dedup_count = check_content_hash(content_hash)
+
+    if not is_allowed:
+        window = current_app.config["CONTENT_DEDUP_WINDOW"]
+        current_app.logger.warning(
+            "Dedup threshold exceeded: hash=%s count=%d from=%s",
+            content_hash[:16], dedup_count, request.remote_addr
+        )
+        return _json_response({
+            "error": "Duplicate content rate limit exceeded",
+            "count": dedup_count,
+            "window_seconds": window,
+        }, 429)
+
    paste_id = _generate_id(content)
    now = int(time.time())