docs: add url shortener documentation
Some checks failed
CI / Lint & Format (push) Failing after 29s
CI / Unit Tests (push) Has been skipped
CI / Memory Leak Check (push) Has been skipped
CI / Fuzz Testing (push) Has been skipped
CI / SBOM Generation (push) Has been skipped
CI / Security Scan (push) Successful in 33s
CI / Security Tests (push) Has been skipped
CI / Advanced Security Tests (push) Has been skipped
CI / Build & Push Image (push) Has been skipped
CI / Harbor Vulnerability Scan (push) Has been skipped
Some checks failed
CI / Lint & Format (push) Failing after 29s
CI / Unit Tests (push) Has been skipped
CI / Memory Leak Check (push) Has been skipped
CI / Fuzz Testing (push) Has been skipped
CI / SBOM Generation (push) Has been skipped
CI / Security Scan (push) Successful in 33s
CI / Security Tests (push) Has been skipped
CI / Advanced Security Tests (push) Has been skipped
CI / Build & Push Image (push) Has been skipped
CI / Harbor Vulnerability Scan (push) Has been skipped
This commit is contained in:
Username
27
SECURITY.md
27
SECURITY.md
@@ -92,6 +92,25 @@ FLASKPASTE_MIN_ENTROPY=6.0 # Bits per byte (encrypted ~7.5-8.0)
|
||||
FLASKPASTE_MIN_ENTROPY_SIZE=256 # Only check content >= this size
|
||||
```
|
||||
|
||||
### URL Shortener Security
|
||||
|
||||
**Open Redirect Prevention**
|
||||
|
||||
Short URL creation validates target URLs:
|
||||
|
||||
- Only `http` and `https` schemes allowed (rejects `javascript:`, `data:`, `ftp:`, `file:`)
|
||||
- Network location (hostname) required — rejects scheme-only URLs
|
||||
- Maximum URL length: 2048 bytes
|
||||
- Short IDs: 8-char base62 (`[a-zA-Z0-9]`) with `secrets.choice()` for unpredictability
|
||||
- Redirect responses include `Cache-Control: no-store, no-cache` to prevent caching
|
||||
|
||||
**Access Controls**
|
||||
|
||||
- Creation: rate-limited + proof-of-work (same as paste creation)
|
||||
- Redirect: lookup rate limiting prevents enumeration
|
||||
- Deletion: owner authentication required
|
||||
- Listing: authentication required, shows only own URLs
|
||||
|
||||
### Security Headers
|
||||
|
||||
All responses include:
|
||||
@@ -120,6 +139,12 @@ All requests receive `X-Request-ID` header for log correlation and debugging. Pa
|
||||
- Configurable length (default 12 characters)
|
||||
- Validated on all endpoints
|
||||
|
||||
### Short URL IDs
|
||||
|
||||
- Base62 only (`[a-zA-Z0-9]+`)
|
||||
- 8 characters (configurable via `FLASKPASTE_SHORT_ID_LENGTH`)
|
||||
- Validated on all `/s/` endpoints
|
||||
|
||||
### MIME Types
|
||||
|
||||
- Magic byte detection for binary formats
|
||||
@@ -245,6 +270,7 @@ Security fixes are released as soon as possible. Subscribe to repository release
|
||||
- Authentication bypass
|
||||
- Information disclosure
|
||||
- Denial of service (application-level)
|
||||
- Open redirect via URL shortener
|
||||
|
||||
### Out of Scope
|
||||
|
||||
@@ -258,6 +284,7 @@ Security fixes are released as soon as possible. Subscribe to repository release
|
||||
|
||||
| Version | Security Changes |
|
||||
|---------|------------------|
|
||||
| 1.6.0 | URL shortener with open redirect prevention, scheme allowlist, target URL validation |
|
||||
| 1.5.0 | Pentest remediation (15 items): timing attack prevention, serial collision detection, lookup rate limiting, content hash locking, anti-flood memory limits, CLI path validation, SSL hostname verification, config permission checks |
|
||||
| 1.4.0 | Anti-flood dynamic PoW, IP-based rate limiting, audit logging |
|
||||
| 1.2.0 | Password protection with PBKDF2, code modernization |
|
||||
|
||||
Reference in New Issue
Block a user