Username
c69290af2d
routes: skip rate limiting for trusted certificate holders
CI / Lint & Format (push) Failing after 31s
CI / Unit Tests (push) Has been skipped
CI / Memory Leak Check (push) Has been skipped
CI / Fuzz Testing (push) Has been skipped
CI / SBOM Generation (push) Has been skipped
CI / Security Scan (push) Successful in 35s
CI / Security Tests (push) Has been skipped
CI / Advanced Security Tests (push) Has been skipped
CI / Build & Push Image (push) Has been skipped
CI / Harbor Vulnerability Scan (push) Has been skipped
2026-02-18 08:42:25 +01:00
Username
379178e409
exempt /health from rate limiting
...
CI / Lint & Format (push) Failing after 17s
CI / Unit Tests (push) Has been skipped
CI / Memory Leak Check (push) Has been skipped
CI / SBOM Generation (push) Has been skipped
CI / Security Scan (push) Successful in 19s
CI / Security Tests (push) Has been skipped
CI / Advanced Security Tests (push) Has been skipped
Health check endpoint was being rate-limited (60/hour), causing
container health checks (every 30s = 120/hour) to fail with 429.
Uses flask-limiter's request_filter to bypass rate limiting for
the health endpoint, supporting URL_PREFIX configuration.
2026-01-08 20:12:03 +01:00
Username
d09ec0da74
fix: handle 405 Method Not Allowed properly
...
Exception handler was catching MethodNotAllowed and returning 500.
Added dedicated 405 handler and passthrough for HTTPException.
2025-12-25 19:20:08 +01:00
Username
89eee3378a
security: implement pentest remediation (PROXY-001, BURN-001, RATE-001)
...
CI / Lint & Format (push) Successful in 18s
CI / Security Scan (push) Successful in 22s
CI / Memory Leak Check (push) Successful in 21s
CI / Tests (push) Successful in 1m16s
PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation
BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior
RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS
Test count: 284 -> 291 (7 new security tests)
2025-12-24 21:42:15 +01:00
Username
045f73c998
feat: integrate unused observability features
...
CI / Lint & Format (push) Successful in 18s
CI / Security Scan (push) Successful in 23s
CI / Memory Leak Check (push) Successful in 22s
CI / Tests (push) Successful in 1m16s
- Add request duration metrics via before/after request hooks
- Add PKI audit logging: CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE
- Wire up observe_request_duration() from metrics.py
- Log certificate operations (registration, CA gen, issue, revoke)
- Log auth failures for revoked/expired certificates
2025-12-24 16:41:31 +01:00
Username
7063f8718e
feat: add observability and CLI enhancements
...
CI / Lint & Format (push) Failing after 16s
CI / Tests (push) Has been skipped
CI / Security Scan (push) Failing after 20s
Audit logging:
- audit_log table with event tracking
- app/audit.py module with log_event(), query_audit_log()
- GET /audit endpoint (admin only)
- configurable retention and cleanup
Prometheus metrics:
- app/metrics.py with custom counters
- paste create/access/delete, rate limit, PoW, dedup metrics
- instrumentation in API routes
CLI clipboard integration:
- fpaste create -C/--clipboard (read from clipboard)
- fpaste create --copy-url (copy result URL)
- fpaste get -c/--copy (copy content)
- cross-platform: xclip, xsel, pbcopy, wl-copy
Shell completions:
- completions/ directory with bash/zsh/fish scripts
- fpaste completion --shell command
2025-12-23 22:39:50 +01:00
Username
ca9342e92d
fix: add comprehensive type annotations for mypy
...
CI / Lint & Format (push) Successful in 18s
CI / Security Scan (push) Successful in 21s
CI / Tests (push) Successful in 1m6s
- database.py: add type hints for Path, Flask, Any, BaseException
- pki.py: add assertions to narrow Optional types after has_ca() checks
- routes.py: annotate config values to avoid Any return types
- api/__init__.py: use float for cleanup timestamps (time.time())
- __init__.py: remove unused return from setup_rate_limiting
2025-12-22 19:11:11 +01:00
Username
680b068c00
refactor: code consistency and best practices
...
CI / Lint & Format (push) Successful in 18s
CI / Security Scan (push) Successful in 22s
CI / Tests (push) Successful in 1m6s
- add type hints to error handlers in app/__init__.py
- add docstrings to nested callback functions
- remove deprecated X-XSS-Protection header (superseded by CSP)
- fix typo in cleanup log message (entr(ies) -> entries)
- standardize loop variable naming in fpaste CLI
- update test for intentional header removal
2025-12-22 00:25:18 +01:00
Username
9da33f786e
fix lint issues across codebase
2025-12-20 17:20:27 +01:00
Username
c76a158c18
bump version to 1.1.0, centralize VERSION constant
CI / test (push) Successful in 37s
2025-12-20 04:21:06 +01:00
Username
8f9868f0d9
flaskpaste: initial commit with security hardening
...
Features:
- REST API for text/binary pastes with MIME detection
- Client certificate auth via X-SSL-Client-SHA1 header
- SQLite with WAL mode for concurrent access
- Automatic paste expiry with LRU cleanup
Security:
- HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- Cache-Control: no-store for sensitive responses
- X-Request-ID tracing for log correlation
- X-Proxy-Secret validation for defense-in-depth
- Parameterized queries, input validation
- Size limits (3 MiB anon, 50 MiB auth)
Includes /health endpoint, container support, and 70 tests.
2025-12-16 04:42:18 +01:00
