add polyglot generator and MIME confusion tests
Some checks failed
CI / Lint & Format (push) Failing after 16s
CI / Unit Tests (push) Has been skipped
CI / Memory Leak Check (push) Has been skipped
CI / SBOM Generation (push) Has been skipped
CI / Security Scan (push) Successful in 20s
CI / Security Tests (push) Has been skipped
CI / Advanced Security Tests (push) Has been skipped
Some checks failed
CI / Lint & Format (push) Failing after 16s
CI / Unit Tests (push) Has been skipped
CI / Memory Leak Check (push) Has been skipped
CI / SBOM Generation (push) Has been skipped
CI / Security Scan (push) Successful in 20s
CI / Security Tests (push) Has been skipped
CI / Advanced Security Tests (push) Has been skipped
- polyglot_generator.py: creates files valid in multiple formats - 41 new tests verify MIME detection handles polyglots correctly - Document rate limiting behavior under attack - Clarify DMG/ISO/DOCX detection limitations
This commit is contained in:
Username
@@ -146,8 +146,11 @@ Fixed (2025-12-25):
|
||||
Known issues:
|
||||
[!] JavaClass - Detected as Mach-O (0xCAFEBABE collision, unfixable)
|
||||
|
||||
Not tested (no signature defined):
|
||||
[ ] DMG, ISO, DOCX/XLSX/PPTX, ODF
|
||||
Not detectable (structural limitations):
|
||||
[~] DMG - UDIF signature in trailer, not header
|
||||
[~] ISO - CD001 at offset 32769 (beyond 16-byte check)
|
||||
[~] DOCX/XLSX/PPTX - ZIP-based, detected as application/zip (correct)
|
||||
[~] ODF (ODT/ODS) - ZIP-based, detected as application/zip (correct)
|
||||
```
|
||||
|
||||
### Fuzzing Improvements
|
||||
@@ -156,10 +159,15 @@ Not tested (no signature defined):
|
||||
[ ] Add --target option to run_fuzz.py for external testing
|
||||
[ ] Implement adaptive rate limiting in production fuzzer
|
||||
[x] Add hypothesis property-based tests for MIME detection
|
||||
[ ] Create polyglot generator for automated MIME confusion testing
|
||||
[x] Create polyglot generator for automated MIME confusion testing
|
||||
[x] Add timing attack tests for authentication endpoints
|
||||
```
|
||||
|
||||
**Polyglot Generator (2025-12-26):**
|
||||
- `tests/security/polyglot_generator.py`: Creates files valid in multiple formats
|
||||
- Supports: GIF+JS, PDF+JS, ZIP+HTML, PNG+HTML, generic primary:payload
|
||||
- 41 polyglot tests verify MIME detection handles all cases correctly
|
||||
|
||||
**Hypothesis MIME Tests (2025-12-26):**
|
||||
- `test_magic_prefix_detection`: All known signatures + random suffix detect correctly
|
||||
- `test_random_binary_never_crashes`: Random binary never crashes detector
|
||||
@@ -201,14 +209,85 @@ Not tested (no signature defined):
|
||||
### Documentation
|
||||
|
||||
```
|
||||
[ ] Add remaining MIME test results to security assessment
|
||||
[ ] Document rate limiting behavior under attack
|
||||
[x] Add remaining MIME test results to security assessment
|
||||
[x] Document rate limiting behavior under attack
|
||||
[x] Create threat model diagram (documentation/threat-model.md)
|
||||
[x] Add security headers audit to CI pipeline
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Rate Limiting Under Attack
|
||||
|
||||
### Defense Layers
|
||||
|
||||
```
|
||||
Layer 1: Per-IP Rate Limiting
|
||||
├── Window: 60 seconds
|
||||
├── Max requests: 30 (configurable)
|
||||
├── Response: 429 Too Many Requests
|
||||
└── Memory cap: 10,000 IPs max
|
||||
|
||||
Layer 2: Anti-Flood (Dynamic PoW)
|
||||
├── Base difficulty: 16 bits
|
||||
├── Threshold: 5 pastes/window triggers increase
|
||||
├── Step: +2 bits per threshold breach
|
||||
├── Max difficulty: 28 bits
|
||||
├── Decay: -2 bits every 30s when idle
|
||||
└── Effect: Attackers must solve harder puzzles
|
||||
|
||||
Layer 3: Content Deduplication
|
||||
├── Hash window: 300 seconds (5 min)
|
||||
├── Max duplicates: 3 per hash per window
|
||||
├── Response: 429 with "duplicate content" message
|
||||
└── Bypass: Requires unique content each time
|
||||
```
|
||||
|
||||
### Attack Scenarios
|
||||
|
||||
| Attack | Detection | Response | Recovery |
|
||||
|--------|-----------|----------|----------|
|
||||
| Single IP flood | Rate limit hit | 429 after 30 req/min | Auto after 60s |
|
||||
| Distributed flood | Anti-flood threshold | PoW difficulty 16→28 | Decay after 30s idle |
|
||||
| Content spam | Dedup detection | 429 after 3 dupes | Window expires 5min |
|
||||
| Enumeration | Lookup rate limit | 429 after 60 req/min | Auto after 60s |
|
||||
|
||||
### Observed Behavior (Pentest 2025-12-26)
|
||||
|
||||
During 18.5 minute penetration test:
|
||||
- Requests handled: 144
|
||||
- Anti-flood triggered: Yes (difficulty 16→26 bits)
|
||||
- Rate limit 429s observed: Yes
|
||||
- PoW token expiration working: Rejected stale solutions
|
||||
- Memory usage: Stable (capped dictionaries)
|
||||
|
||||
### Configuration
|
||||
|
||||
```python
|
||||
# app/config.py defaults
|
||||
RATE_LIMIT_MAX_ENTRIES = 10000 # Max tracked IPs
|
||||
RATE_LIMIT_REQUESTS = 30 # Requests per window
|
||||
RATE_LIMIT_WINDOW = 60 # Window in seconds
|
||||
|
||||
ANTIFLOOD_THRESHOLD = 5 # Pastes before PoW increase
|
||||
ANTIFLOOD_STEP = 2 # Bits added per breach
|
||||
ANTIFLOOD_MAX = 28 # Maximum difficulty
|
||||
ANTIFLOOD_DECAY = 30 # Seconds before difficulty drops
|
||||
|
||||
DEDUP_WINDOW = 300 # Hash tracking window
|
||||
DEDUP_MAX = 3 # Max duplicates allowed
|
||||
```
|
||||
|
||||
### Monitoring
|
||||
|
||||
- `/metrics` endpoint exposes:
|
||||
- `flaskpaste_rate_limit_total`: Rate limit hits
|
||||
- `flaskpaste_pow_difficulty`: Current PoW difficulty
|
||||
- `flaskpaste_paste_created_total`: Creation rate
|
||||
- `flaskpaste_dedup_total`: Dedup rejections
|
||||
|
||||
---
|
||||
|
||||
## Test Commands
|
||||
|
||||
```bash
|
||||
|
||||
Reference in New Issue
Block a user