26 Commits

Author	SHA1	Message	Date
Username	9c4c907f75	fpaste: add configurable endpoint prefix ... - Add endpoint config key (FLASKPASTE_ENDPOINT env var) - Add build_url() helper for URL construction - Change default server to https://paste.mymx.me - Support endpoint prefix in config file	2026-01-19 23:58:42 +01:00
Username	0c8bdacfd2	fix ruff S310 audit warnings in fpaste	2025-12-25 21:08:48 +01:00
Username	033751d8e5	ci: fix bandit nosec and cyclonedx-py syntax	2025-12-25 21:01:55 +01:00
Username	a040fad0b8	fix: resolve all mypy type errors	2025-12-25 00:19:21 +01:00
Username	88da4fedbe	ci: enhance security scanning and add SBOM generation ... - Add dedicated security-tests job for security-focused test files - Add SBOM generation job using CycloneDX for supply chain transparency - Add Bandit scan for fpaste CLI - Add hardcoded secrets detection step - Fix SHA1 fingerprint warnings with usedforsecurity=False - Split unit tests from security tests for better organization - Add memory leak detection job	2025-12-24 23:50:11 +01:00
Username	da1beca893	security: implement quick win remediations (FLOOD-001, CLI-002, CLI-003, AUDIT-001) ... FLOOD-001: Cap anti-flood request list at configurable max entries - Add ANTIFLOOD_MAX_ENTRIES config (default 10000) - Prune oldest entries when limit exceeded CLI-002: Explicitly set SSL hostname verification - Add ctx.check_hostname = True and ctx.verify_mode = CERT_REQUIRED - Defense in depth (create_default_context sets these by default) CLI-003: Warn on insecure config file permissions - Check if config file is world-readable - Print warning to stderr if permissions too open AUDIT-001: Already implemented - query has LIMIT/OFFSET with 500 max	2025-12-24 23:02:55 +01:00
Username	1fbb69d7f9	security: implement pentest remediation (RATE-002, CLI-001) ... RATE-002: Proactive rate limit cleanup when entries exceed threshold - Add RATE_LIMIT_CLEANUP_THRESHOLD config (default 0.8) - Trigger cleanup before hitting hard limit - Prevents memory exhaustion under sustained load CLI-001: Validate clipboard tool paths against trusted directories - Add TRUSTED_CLIPBOARD_DIRS for Unix system paths - Add TRUSTED_WINDOWS_PATTERNS for Windows validation - Reject tools in user-writable locations (PATH hijack prevention) - Use absolute paths in subprocess calls	2025-12-24 22:03:17 +01:00
Username	7063f8718e	feat: add observability and CLI enhancements ... Audit logging: - audit_log table with event tracking - app/audit.py module with log_event(), query_audit_log() - GET /audit endpoint (admin only) - configurable retention and cleanup Prometheus metrics: - app/metrics.py with custom counters - paste create/access/delete, rate limit, PoW, dedup metrics - instrumentation in API routes CLI clipboard integration: - fpaste create -C/--clipboard (read from clipboard) - fpaste create --copy-url (copy result URL) - fpaste get -c/--copy (copy content) - cross-platform: xclip, xsel, pbcopy, wl-copy Shell completions: - completions/ directory with bash/zsh/fish scripts - fpaste completion --shell command	2025-12-23 22:39:50 +01:00
Username	680b068c00	refactor: code consistency and best practices ... - add type hints to error handlers in app/__init__.py - add docstrings to nested callback functions - remove deprecated X-XSS-Protection header (superseded by CSP) - fix typo in cleanup log message (entr(ies) -> entries) - standardize loop variable naming in fpaste CLI - update test for intentional header removal	2025-12-22 00:25:18 +01:00
Username	916a09f595	fpaste: add batch delete and --all with confirmation	2025-12-21 22:06:53 +01:00
Username	3fe631f6b9	fpaste: add --all flag and expiry countdown to list	2025-12-21 21:43:48 +01:00
Username	1f09f2686a	fpaste: consolidate code and add type hints ... - Add type hints throughout (NoReturn, Path | None, etc.) - Extract helper functions to eliminate duplication: - read_config_file() / write_config_file() - parse_error() for JSON error parsing - format_paste_row() / print_paste_list() - prepare_content(), extract_paste_id() - auth_headers(), require_auth() - Add constants (CONFIG_DIR, CONFIG_KEYS, MIME_EXTENSIONS) - Replace if/elif chains with command dispatch tables - Extract build_parser() from main() - Use walrus operators and frozenset where appropriate Net reduction: 170 lines (-793 +623)	2025-12-21 12:43:34 +01:00
Username	880bf631e3	fpaste: add register command for public certificate enrollment ... - Add register command to obtain client cert from server - Solve PoW challenge, receive PKCS#12 bundle - Extract cert/key, optionally update config (--configure) - Fix registration to work without PKI_ENABLED (only needs PKI_CA_PASSWORD) - Add skip_enabled_check param to get_ca_info() for registration path - Update docs: README examples, API header name fix (X-Fingerprint-SHA1)	2025-12-21 10:59:09 +01:00
Username	68d51c5b3e	fpaste: show elevated pow difficulty on create	2025-12-20 21:57:13 +01:00
Username	c6b3dd410a	fpaste: retry on pow failure (max 5 attempts)	2025-12-20 21:09:14 +01:00
Username	89ac2af161	fpaste info: show pow difficulty level	2025-12-20 20:58:17 +01:00
Username	bfc238b5cf	add CLI enhancements and scheduled cleanup ... CLI commands: - list: show user's pastes with pagination - search: filter by type (glob), after/before timestamps - update: modify content, password, or extend expiry - export: save pastes to directory with optional decryption API changes: - PUT /<id>: update paste content and metadata - GET /pastes: add type, after, before query params Scheduled tasks: - Thread-safe cleanup with per-task intervals - Activate cleanup_expired_hashes (15min) - Activate cleanup_rate_limits (5min) Tests: 205 passing	2025-12-20 20:13:00 +01:00
Username	d364c954d8	style: format with ruff	2025-12-20 18:32:47 +01:00
Username	d0b199de11	fix lint errors (line length, unused var, nested if)	2025-12-20 18:31:47 +01:00
Username	9e92db5217	fpaste: fix -E flag with piped stdin	2025-12-20 18:22:59 +01:00
Username	ba29b6e319	fpaste: encrypt by default, add file path shortcut ... Change encryption from opt-in (-e) to opt-out (-E/--no-encrypt). Add argument preprocessing to auto-insert "create" command when file path is detected, allowing `fpaste file.txt` shortcut.	2025-12-20 18:05:33 +01:00
Username	85110b2570	fpaste: add file path shortcut (fpaste <file>)	2025-12-20 17:56:34 +01:00
Username	4e38517faf	pki: add minimal certificate authority ... - CA generation with encrypted private key storage (AES-256-GCM) - Client certificate issuance with configurable validity - Certificate revocation with status tracking - SHA1 fingerprint integration with existing mTLS auth - API endpoints: /pki/status, /pki/ca, /pki/issue, /pki/revoke - CLI commands: fpaste pki status/issue/revoke - Comprehensive test coverage	2025-12-20 17:20:15 +01:00
Username	9ccd4225dd	fpaste: add E2E encryption support ... -e/--encrypt flag encrypts content with AES-256-GCM before upload. Key is appended to URL fragment (#...), never sent to server. Auto-detects key fragment on retrieval and decrypts locally.	2025-12-20 06:51:35 +01:00
Username	8fdeeaed9c	add proof-of-work spam prevention ... Clients must solve a SHA256 hash puzzle before paste creation. Configurable via FLASKPASTE_POW_DIFFICULTY (0 = disabled, 16 = default). Challenge tokens expire after FLASKPASTE_POW_TTL seconds (default 300).	2025-12-20 04:03:59 +01:00
Username	682df17257	add command-line client	2025-12-20 03:57:41 +01:00