From bc751d1b8cfdbcd4f90407842b6fa29ec9cc2b22 Mon Sep 17 00:00:00 2001 From: Username Date: Fri, 26 Dec 2025 18:47:06 +0100 Subject: [PATCH] validate MIN_ENTROPY config bounds [0, 8] --- app/config.py | 6 ++++-- tests/test_abuse_prevention.py | 17 +++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/app/config.py b/app/config.py index 9f93765..28df5c3 100644 --- a/app/config.py +++ b/app/config.py @@ -42,9 +42,11 @@ class Config: # Minimum entropy requirement (0 = disabled) # Encrypted data has ~7.5-8.0 bits/byte, plaintext ~4.0-5.0 # Set to 6.0+ to effectively require encryption - MIN_ENTROPY = float(os.environ.get("FLASKPASTE_MIN_ENTROPY", 0)) + _min_entropy_raw = float(os.environ.get("FLASKPASTE_MIN_ENTROPY", 0)) + MIN_ENTROPY = max(0.0, min(8.0, _min_entropy_raw)) # Clamp to valid range [0, 8] # Minimum size for entropy check (small data has unreliable entropy measurement) - MIN_ENTROPY_SIZE = int(os.environ.get("FLASKPASTE_MIN_ENTROPY_SIZE", 256)) + _min_entropy_size_raw = int(os.environ.get("FLASKPASTE_MIN_ENTROPY_SIZE", 256)) + MIN_ENTROPY_SIZE = max(1, _min_entropy_size_raw) # Must be positive # Require binary content (reject recognizable formats) # Rejects content with known magic bytes (PNG, JPEG, PDF, etc.) and UTF-8 text. diff --git a/tests/test_abuse_prevention.py b/tests/test_abuse_prevention.py index 7b7d80f..d633c44 100644 --- a/tests/test_abuse_prevention.py +++ b/tests/test_abuse_prevention.py @@ -410,6 +410,23 @@ class TestEntropyEnforcement: assert response.status_code == 201 +class TestEntropyConfigValidation: + """Test entropy config validation and bounds checking.""" + + def test_min_entropy_clamped_to_valid_range(self): + """MIN_ENTROPY should be clamped to [0, 8] range.""" + from app.config import Config + + # Verify clamping logic works (config uses max(0, min(8, value))) + assert 0.0 <= Config.MIN_ENTROPY <= 8.0 + + def test_min_entropy_size_positive(self): + """MIN_ENTROPY_SIZE should be at least 1.""" + from app.config import Config + + assert Config.MIN_ENTROPY_SIZE >= 1 + + class TestConcurrentSubmissions: """Test concurrent identical submissions handling.