username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: implement CRYPTO-001 and TIMING-001 remediations
Some checks failed
CI / Lint & Format (push) Failing after 17s
Details
CI / Tests (push) Has been skipped
Details
CI / Memory Leak Check (push) Has been skipped
Details
CI / Security Scan (push) Successful in 23s
Details

Browse Source 
CRYPTO-001: Certificate serial collision detection
- Add _generate_unique_serial() helper for database-backed PKI
- Add _generate_unique_serial() method for in-memory PKI class
- Check database for existing serial before certificate issuance
- Retry with new random serial if collision detected (max 5 attempts)

TIMING-001: Constant-time database lookups for sensitive queries
- Add dummy PBKDF2 verification when paste not found
- Prevents timing-based enumeration (attackers can't distinguish
  'not found' from 'wrong password' by measuring response time)
This commit is contained in:
Username
2025-12-24 23:28:16 +01:00
parent c130020ab8
commit 3a76453828
4 changed files with 74 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
PENTEST_PLAN.md
View File

@@ -259,8 +259,8 @@ Testing uses specialized Claude subagents for different security domains, with f
### Long-term (Low)
- [ ] **CRYPTO-001**: Add certificate serial collision detection
- [ ] **TIMING-001**: Add constant-time database lookups for sensitive queries
- [x] **CRYPTO-001**: Add certificate serial collision detection
- [x] **TIMING-001**: Add constant-time database lookups for sensitive queries
---