32 Commits

Author	SHA1	Message	Date
user	e7c278be0d	fix: share PoW HMAC secret across gunicorn workers ... get_pow_secret() generated a random secret per process, so challenges signed by worker A failed verification on worker B (~90% failure rate with 2 workers). Persist a file-backed secret to data/.pow_secret using O_EXCL for atomic creation. FLASKPASTE_POW_SECRET env var still takes priority when configured. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 21:32:18 +01:00
Username	80b8dbdd40	config: add url shortener settings	2026-02-16 20:26:43 +01:00
Username	9777cbb053	bump version to 1.5.2	2026-01-20 08:41:22 +01:00
Username	a7f1c09634	bump version to 1.5.1	2025-12-26 19:15:20 +01:00
Username	bc751d1b8c	validate MIN_ENTROPY config bounds [0, 8]	2025-12-26 18:47:06 +01:00
Username	4f5da8ca66	fix: add memory protection to lookup rate limiting ... ENUM-002: Lookup rate limit now respects LOOKUP_RATE_LIMIT_MAX_ENTRIES (default 10000) to prevent memory exhaustion from unique IP flood. Eviction strategy: expired entries first, then oldest by last request.	2025-12-26 00:16:41 +01:00
Username	8408fedf5a	fix lint errors (unused vars, line length, formatting)	2025-12-25 20:43:28 +01:00
Username	c130020ab8	security: implement HASH-001 and ENUM-001 remediations ... HASH-001: Add threading lock to content hash deduplication - Prevents race condition between SELECT and UPDATE - Ensures accurate dedup counting under concurrent load ENUM-001: Add rate limiting to paste lookups - Separate rate limiter for GET/HEAD on paste endpoints - Default 60 requests/minute per IP (configurable) - Prevents brute-force paste ID enumeration attacks	2025-12-24 23:12:28 +01:00
Username	da1beca893	security: implement quick win remediations (FLOOD-001, CLI-002, CLI-003, AUDIT-001) ... FLOOD-001: Cap anti-flood request list at configurable max entries - Add ANTIFLOOD_MAX_ENTRIES config (default 10000) - Prune oldest entries when limit exceeded CLI-002: Explicitly set SSL hostname verification - Add ctx.check_hostname = True and ctx.verify_mode = CERT_REQUIRED - Defense in depth (create_default_context sets these by default) CLI-003: Warn on insecure config file permissions - Check if config file is world-readable - Print warning to stderr if permissions too open AUDIT-001: Already implemented - query has LIMIT/OFFSET with 500 max	2025-12-24 23:02:55 +01:00
Username	1fbb69d7f9	security: implement pentest remediation (RATE-002, CLI-001) ... RATE-002: Proactive rate limit cleanup when entries exceed threshold - Add RATE_LIMIT_CLEANUP_THRESHOLD config (default 0.8) - Trigger cleanup before hitting hard limit - Prevents memory exhaustion under sustained load CLI-001: Validate clipboard tool paths against trusted directories - Add TRUSTED_CLIPBOARD_DIRS for Unix system paths - Add TRUSTED_WINDOWS_PATTERNS for Windows validation - Reject tools in user-writable locations (PATH hijack prevention) - Use absolute paths in subprocess calls	2025-12-24 22:03:17 +01:00
Username	89eee3378a	security: implement pentest remediation (PROXY-001, BURN-001, RATE-001) ... PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production - validate_security_config() checks for missing proxy secret - Additional warning when PKI enabled without proxy secret - Tests for security configuration validation BURN-001: HEAD requests now trigger burn-after-read deletion - Prevents attacker from probing paste existence before retrieval - Updated test to verify new behavior RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage - Default 10000 unique IPs tracked - Prunes oldest entries when limit exceeded - Protects against memory exhaustion DoS Test count: 284 -> 291 (7 new security tests)	2025-12-24 21:42:15 +01:00
Username	7063f8718e	feat: add observability and CLI enhancements ... Audit logging: - audit_log table with event tracking - app/audit.py module with log_event(), query_audit_log() - GET /audit endpoint (admin only) - configurable retention and cleanup Prometheus metrics: - app/metrics.py with custom counters - paste create/access/delete, rate limit, PoW, dedup metrics - instrumentation in API routes CLI clipboard integration: - fpaste create -C/--clipboard (read from clipboard) - fpaste create --copy-url (copy result URL) - fpaste get -c/--copy (copy content) - cross-platform: xclip, xsel, pbcopy, wl-copy Shell completions: - completions/ directory with bash/zsh/fish scripts - fpaste completion --shell command	2025-12-23 22:39:50 +01:00
Username	e8a99d5bdd	add tiered auto-expiry based on auth level	2025-12-21 21:55:30 +01:00
Username	c0c65a23ad	bump version to 1.5.0	2025-12-21 11:09:53 +01:00
Username	5849c7406f	add /register endpoint for public certificate registration ... Public endpoint allows anyone to obtain a client certificate for authentication. Features: - Higher PoW difficulty than paste creation (24 vs 20 bits) - Auto-generates CA on first registration if not present - Returns PKCS#12 bundle with cert, key, and CA - Configurable via FLASKPASTE_REGISTER_POW Endpoints: - GET /register/challenge - Get registration PoW challenge - POST /register - Register and receive PKCS#12 bundle	2025-12-21 10:34:02 +01:00
Username	98bc656c87	config: increase anti-flood decay to 60s	2025-12-20 21:18:54 +01:00
Username	8d13f52549	bump to 1.4.0, lower anti-flood threshold to 5	2025-12-20 20:53:49 +01:00
Username	45712ea93f	add anti-flood: dynamic PoW difficulty under load ... When paste creation rate exceeds threshold, PoW difficulty increases to slow down attackers. Decays back to base when abuse stops. Config: - ANTIFLOOD_THRESHOLD: requests/window before increase (30) - ANTIFLOOD_STEP: difficulty bits per step (2) - ANTIFLOOD_MAX: maximum difficulty cap (28) - ANTIFLOOD_DECAY: seconds before reducing (30)	2025-12-20 20:45:58 +01:00
Username	dfca09102a	bump version to 1.3.0	2025-12-20 20:20:47 +01:00
Username	bfc238b5cf	add CLI enhancements and scheduled cleanup ... CLI commands: - list: show user's pastes with pagination - search: filter by type (glob), after/before timestamps - update: modify content, password, or extend expiry - export: save pastes to directory with optional decryption API changes: - PUT /<id>: update paste content and metadata - GET /pastes: add type, after, before query params Scheduled tasks: - Thread-safe cleanup with per-task intervals - Activate cleanup_expired_hashes (15min) - Activate cleanup_rate_limits (5min) Tests: 205 passing	2025-12-20 20:13:00 +01:00
Username	d364c954d8	style: format with ruff	2025-12-20 18:32:47 +01:00
Username	d0b199de11	fix lint errors (line length, unused var, nested if)	2025-12-20 18:31:47 +01:00
Username	28ee2bae31	add minimum size and binary content enforcement	2025-12-20 17:46:49 +01:00
Username	4e38517faf	pki: add minimal certificate authority ... - CA generation with encrypted private key storage (AES-256-GCM) - Client certificate issuance with configurable validity - Certificate revocation with status tracking - SHA1 fingerprint integration with existing mTLS auth - API endpoints: /pki/status, /pki/ca, /pki/issue, /pki/revoke - CLI commands: fpaste pki status/issue/revoke - Comprehensive test coverage	2025-12-20 17:20:15 +01:00
Username	7deba711d4	entropy: exempt small content from check ... Small data has unreliable entropy measurement due to sample size. MIN_ENTROPY_SIZE (default 256 bytes) sets the threshold.	2025-12-20 08:48:13 +01:00
Username	8addf2d9e8	add entropy enforcement for optional encryption requirement ... Shannon entropy check rejects low-entropy content when MIN_ENTROPY > 0. Encrypted data ~7.5-8.0 bits/byte, plaintext ~4.0-5.0 bits/byte. Configurable via FLASKPASTE_MIN_ENTROPY environment variable.	2025-12-20 06:57:50 +01:00
Username	5770698847	add URL_PREFIX config for reverse proxy path support	2025-12-20 04:43:36 +01:00
Username	c76a158c18	bump version to 1.1.0, centralize VERSION constant	2025-12-20 04:21:06 +01:00
Username	efd48c5563	pow: increase default difficulty to 20	2025-12-20 04:05:35 +01:00
Username	8fdeeaed9c	add proof-of-work spam prevention ... Clients must solve a SHA256 hash puzzle before paste creation. Configurable via FLASKPASTE_POW_DIFFICULTY (0 = disabled, 16 = default). Challenge tokens expire after FLASKPASTE_POW_TTL seconds (default 300).	2025-12-20 04:03:59 +01:00
Username	202e927918	add content-hash dedup for abuse prevention ... Throttle repeated submissions of identical content using SHA256 hash tracking. Configurable via FLASKPASTE_DEDUP_WINDOW and FLASKPASTE_DEDUP_MAX.	2025-12-20 03:31:20 +01:00
Username	8f9868f0d9	flaskpaste: initial commit with security hardening ... Features: - REST API for text/binary pastes with MIME detection - Client certificate auth via X-SSL-Client-SHA1 header - SQLite with WAL mode for concurrent access - Automatic paste expiry with LRU cleanup Security: - HSTS, CSP, X-Frame-Options, X-Content-Type-Options - Cache-Control: no-store for sensitive responses - X-Request-ID tracing for log correlation - X-Proxy-Secret validation for defense-in-depth - Parameterized queries, input validation - Size limits (3 MiB anon, 50 MiB auth) Includes /health endpoint, container support, and 70 tests.	2025-12-16 04:42:18 +01:00