fix: add memory protection to lookup rate limiting

ENUM-002: Lookup rate limit now respects LOOKUP_RATE_LIMIT_MAX_ENTRIES (default 10000) to prevent memory exhaustion from unique IP flood. Eviction strategy: expired entries first, then oldest by last request.
2025-12-26 00:16:41 +01:00
parent 0fa6052f69
commit 4f5da8ca66
2 changed files with 26 additions and 0 deletions
--- a/app/config.py
+++ b/app/config.py
@@ -115,6 +115,10 @@ class Config:
    )
    LOOKUP_RATE_LIMIT_WINDOW = int(os.environ.get("FLASKPASTE_LOOKUP_RATE_WINDOW", "60"))
    LOOKUP_RATE_LIMIT_MAX = int(os.environ.get("FLASKPASTE_LOOKUP_RATE_MAX", "60"))
+    # ENUM-002: Maximum tracked IPs for lookup rate limiting (memory protection)
+    LOOKUP_RATE_LIMIT_MAX_ENTRIES = int(
+        os.environ.get("FLASKPASTE_LOOKUP_RATE_MAX_ENTRIES", "10000")
+    )

    # Audit Logging
    # Track security-relevant events (paste creation, deletion, rate limits, etc.)