username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: validate algorithm parameter in PKI methods

Browse Source
This commit is contained in:
Username
2025-12-25 00:26:23 +01:00
parent 79b12cc3b3
commit d1df8c4f76
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
TODO.md
View File

@@ -12,11 +12,11 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
- Webhook notifications for paste events - Webhook notifications for paste events
- Certificate renewal reminder in CLI - Certificate renewal reminder in CLI
- Admin endpoint for CA key rotation - Admin endpoint for CA key rotation
- Shell completions (bash, zsh, fish)
- Clipboard integration (pbcopy/xclip) - Clipboard integration (pbcopy/xclip)
## Observations ## Observations
- Shell completions already implemented (`fpaste completion --shell bash/zsh/fish`)
- Mypy type errors fixed: now enforced in CI (was informational) - Mypy type errors fixed: now enforced in CI (was informational)
- CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks - CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks
- Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented - Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented

8
app/pki.py
View File

@@ -310,6 +310,10 @@ class PKI:
if self.has_ca(): if self.has_ca():
raise CAExistsError("CA already exists") raise CAExistsError("CA already exists")
# Validate algorithm (only EC supported for now)
if algorithm != "ec":
raise PKIError(f"Unsupported algorithm: {algorithm} (only 'ec' supported)")
# Generate EC key # Generate EC key
curves = { curves = {
"secp256r1": ec.SECP256R1(), "secp256r1": ec.SECP256R1(),
@@ -532,6 +536,10 @@ class PKI:
if days is None: if days is None:
days = self.cert_days days = self.cert_days
# Validate algorithm (only EC supported for now)
if algorithm != "ec":
raise PKIError(f"Unsupported algorithm: {algorithm} (only 'ec' supported)")
ca_key, ca_cert = self._get_signing_key() ca_key, ca_cert = self._get_signing_key()
assert self._ca_store is not None # narrowing for mypy (validated in _get_signing_key) assert self._ca_store is not None # narrowing for mypy (validated in _get_signing_key)