flaskpaste

username/flaskpaste

Fork 1

Commit Graph

Author	SHA1	Message	Date
Username	1fbb69d7f9	security: implement pentest remediation (RATE-002, CLI-001) Some checks failed CI / Lint & Format (push) Failing after 16s Details CI / Tests (push) Has been skipped Details CI / Memory Leak Check (push) Has been skipped Details CI / Security Scan (push) Successful in 23s Details RATE-002: Proactive rate limit cleanup when entries exceed threshold - Add RATE_LIMIT_CLEANUP_THRESHOLD config (default 0.8) - Trigger cleanup before hitting hard limit - Prevents memory exhaustion under sustained load CLI-001: Validate clipboard tool paths against trusted directories - Add TRUSTED_CLIPBOARD_DIRS for Unix system paths - Add TRUSTED_WINDOWS_PATTERNS for Windows validation - Reject tools in user-writable locations (PATH hijack prevention) - Use absolute paths in subprocess calls	2025-12-24 22:03:17 +01:00
Username	89eee3378a	security: implement pentest remediation (PROXY-001, BURN-001, RATE-001) All checks were successful CI / Lint & Format (push) Successful in 18s Details CI / Security Scan (push) Successful in 22s Details CI / Memory Leak Check (push) Successful in 21s Details CI / Tests (push) Successful in 1m16s Details PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production - validate_security_config() checks for missing proxy secret - Additional warning when PKI enabled without proxy secret - Tests for security configuration validation BURN-001: HEAD requests now trigger burn-after-read deletion - Prevents attacker from probing paste existence before retrieval - Updated test to verify new behavior RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage - Default 10000 unique IPs tracked - Prunes oldest entries when limit exceeded - Protects against memory exhaustion DoS Test count: 284 -> 291 (7 new security tests)	2025-12-24 21:42:15 +01:00
Username	bebc6e0354	add comprehensive penetration testing plan Define 8 specialized subagents for security testing: - AuthBypass, InputFuzz, CryptoAudit, RaceCondition - DoSResilience, InfoLeak, CLISecurity, DependencyAudit Document critical vulnerabilities and remediation priorities.	2025-12-24 21:32:19 +01:00

Author

SHA1

Message

Date

Username

1fbb69d7f9

security: implement pentest remediation (RATE-002, CLI-001)

CI / Lint & Format (push) Failing after 16s

Details

CI / Tests (push) Has been skipped

Details

CI / Memory Leak Check (push) Has been skipped

Details

CI / Security Scan (push) Successful in 23s

Details

RATE-002: Proactive rate limit cleanup when entries exceed threshold
- Add RATE_LIMIT_CLEANUP_THRESHOLD config (default 0.8)
- Trigger cleanup before hitting hard limit
- Prevents memory exhaustion under sustained load

CLI-001: Validate clipboard tool paths against trusted directories
- Add TRUSTED_CLIPBOARD_DIRS for Unix system paths
- Add TRUSTED_WINDOWS_PATTERNS for Windows validation
- Reject tools in user-writable locations (PATH hijack prevention)
- Use absolute paths in subprocess calls

2025-12-24 22:03:17 +01:00

Username

89eee3378a

security: implement pentest remediation (PROXY-001, BURN-001, RATE-001)

CI / Lint & Format (push) Successful in 18s

Details

CI / Security Scan (push) Successful in 22s

Details

CI / Memory Leak Check (push) Successful in 21s

Details

CI / Tests (push) Successful in 1m16s

Details

PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation

BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior

RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS

Test count: 284 -> 291 (7 new security tests)

2025-12-24 21:42:15 +01:00

Username

bebc6e0354

add comprehensive penetration testing plan

Define 8 specialized subagents for security testing:
- AuthBypass, InputFuzz, CryptoAudit, RaceCondition
- DoSResilience, InfoLeak, CLISecurity, DependencyAudit

Document critical vulnerabilities and remediation priorities.

2025-12-24 21:32:19 +01:00

3 Commits