username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: implement pentest remediation (PROXY-001, BURN-001, RATE-001)
All checks were successful
CI / Lint & Format (push) Successful in 18s
Details
CI / Security Scan (push) Successful in 22s
Details
CI / Memory Leak Check (push) Successful in 21s
Details
CI / Tests (push) Successful in 1m16s
Details

Browse Source 
PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation

BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior

RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS

Test count: 284 -> 291 (7 new security tests)
This commit is contained in:
Username
2025-12-24 21:42:15 +01:00
parent bebc6e0354
commit 89eee3378a
10 changed files with 271 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
tests/test_paste_options.py
View File

@@ -80,8 +80,12 @@ class TestBurnAfterRead:
response = client.get(f"/{paste_id}")
assert response.status_code == 404
def test_head_does_not_trigger_burn(self, client):
"""HEAD request should not delete burn paste."""
def test_head_triggers_burn(self, client):
"""HEAD request SHOULD delete burn paste (security fix BURN-001).
HEAD requests trigger burn-after-read deletion to prevent attackers
from probing paste existence before retrieval.
"""
# Create burn paste
response = client.post(
"/",
@@ -90,13 +94,14 @@ class TestBurnAfterRead:
)
paste_id = response.get_json()["id"]
# HEAD should succeed
# HEAD should succeed and trigger burn
response = client.head(f"/{paste_id}/raw")
assert response.status_code == 200
assert response.headers.get("X-Burn-After-Read") == "true"
# Paste should still exist
# Paste should be deleted - subsequent access should fail
response = client.get(f"/{paste_id}/raw")
assert response.status_code == 200
assert response.status_code == 404
def test_burn_header_variations(self, client):
"""Different true values for X-Burn-After-Read should work."""