username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
216 Commits 1 Branch 0 Tags
main
Commit Graph

5 Commits

Author SHA1 Message Date
Username
89eee3378a security: implement pentest remediation (PROXY-001, BURN-001, RATE-001)
All checks were successful
CI / Lint & Format (push) Successful in 18s
Details
CI / Security Scan (push) Successful in 22s
Details
CI / Memory Leak Check (push) Successful in 21s
Details
CI / Tests (push) Successful in 1m16s
Details 
PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation

BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior

RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS

Test count: 284 -> 291 (7 new security tests)
 2025-12-24 21:42:15 +01:00
Username
680b068c00 refactor: code consistency and best practices
All checks were successful
CI / Lint & Format (push) Successful in 18s
Details
CI / Security Scan (push) Successful in 22s
Details
CI / Tests (push) Successful in 1m6s
Details 
- add type hints to error handlers in app/__init__.py
- add docstrings to nested callback functions
- remove deprecated X-XSS-Protection header (superseded by CSP)
- fix typo in cleanup log message (entr(ies) -> entries)
- standardize loop variable naming in fpaste CLI
- update test for intentional header removal
 2025-12-22 00:25:18 +01:00
Username
098789ff89 allow untrusted certs to manage own pastes
Some checks failed
CI / Lint & Format (push) Failing after 15s
Details
CI / Tests (push) Has been skipped
Details
CI / Security Scan (push) Failing after 20s
Details 
Split authentication into two functions:
- get_client_fingerprint(): Identity for ownership (any cert)
- get_client_id(): Elevated privileges (trusted certs only)

Behavior:
- Anonymous: Create only, strict limits
- Untrusted cert: Create + delete/update/list own pastes, strict limits
- Trusted cert: All operations, relaxed limits (50MB, 5x rate)

Updated tests to reflect new behavior where revoked certs
can still manage their own pastes.
 2025-12-21 12:59:18 +01:00
Username
9da33f786e fix lint issues across codebase 2025-12-20 17:20:27 +01:00
Username
8f9868f0d9 flaskpaste: initial commit with security hardening 
Features:
- REST API for text/binary pastes with MIME detection
- Client certificate auth via X-SSL-Client-SHA1 header
- SQLite with WAL mode for concurrent access
- Automatic paste expiry with LRU cleanup

Security:
- HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- Cache-Control: no-store for sensitive responses
- X-Request-ID tracing for log correlation
- X-Proxy-Secret validation for defense-in-depth
- Parameterized queries, input validation
- Size limits (3 MiB anon, 50 MiB auth)

Includes /health endpoint, container support, and 70 tests.
 2025-12-16 04:42:18 +01:00