"""Application configuration.""" import os from pathlib import Path # Application version VERSION = "1.5.0" class Config: """Base configuration.""" BASE_DIR = Path(__file__).parent.parent DATABASE = os.environ.get("FLASKPASTE_DB", BASE_DIR / "data" / "pastes.db") PASTE_ID_LENGTH = int(os.environ.get("FLASKPASTE_ID_LENGTH", "12")) # Paste size limits # Minimum size enforces encryption overhead (IV + tag + ciphertext) # AES-256-GCM: 12 byte IV + 16 byte tag = 28 bytes minimum, ~40 base64 MIN_PASTE_SIZE = int(os.environ.get("FLASKPASTE_MIN_SIZE", 0)) # 0 = disabled MAX_PASTE_SIZE_ANON = int(os.environ.get("FLASKPASTE_MAX_ANON", 3 * 1024 * 1024)) # 3MiB MAX_PASTE_SIZE_AUTH = int(os.environ.get("FLASKPASTE_MAX_AUTH", 50 * 1024 * 1024)) # 50MiB MAX_CONTENT_LENGTH = MAX_PASTE_SIZE_AUTH # Flask request limit # Paste expiry (tiered by authentication level) # Anonymous users: shortest expiry (default 1 day) EXPIRY_ANON = int(os.environ.get("FLASKPASTE_EXPIRY_ANON", 1 * 24 * 60 * 60)) # Untrusted certs (authenticated but not registered): medium expiry (default 7 days) EXPIRY_UNTRUSTED = int(os.environ.get("FLASKPASTE_EXPIRY_UNTRUSTED", 7 * 24 * 60 * 60)) # Trusted certs (registered in PKI): longest expiry (default 30 days, 0 = no expiry) EXPIRY_TRUSTED = int(os.environ.get("FLASKPASTE_EXPIRY_TRUSTED", 30 * 24 * 60 * 60)) # Maximum custom expiry (default 90 days, 0 = unlimited for trusted) MAX_EXPIRY_SECONDS = int(os.environ.get("FLASKPASTE_MAX_EXPIRY", 90 * 24 * 60 * 60)) # Legacy alias for backwards compatibility PASTE_EXPIRY_SECONDS = EXPIRY_ANON # Content deduplication / abuse prevention # Throttle repeated submissions of identical content CONTENT_DEDUP_WINDOW = int(os.environ.get("FLASKPASTE_DEDUP_WINDOW", 3600)) # 1 hour CONTENT_DEDUP_MAX = int(os.environ.get("FLASKPASTE_DEDUP_MAX", 3)) # max 3 per window # Minimum entropy requirement (0 = disabled) # Encrypted data has ~7.5-8.0 bits/byte, plaintext ~4.0-5.0 # Set to 6.0+ to effectively require encryption _min_entropy_raw = float(os.environ.get("FLASKPASTE_MIN_ENTROPY", 0)) MIN_ENTROPY = max(0.0, min(8.0, _min_entropy_raw)) # Clamp to valid range [0, 8] # Minimum size for entropy check (small data has unreliable entropy measurement) _min_entropy_size_raw = int(os.environ.get("FLASKPASTE_MIN_ENTROPY_SIZE", 256)) MIN_ENTROPY_SIZE = max(1, _min_entropy_size_raw) # Must be positive # Require binary content (reject recognizable formats) # Rejects content with known magic bytes (PNG, JPEG, PDF, etc.) and UTF-8 text. REQUIRE_BINARY = os.environ.get("FLASKPASTE_REQUIRE_BINARY", "0").lower() in ( "1", "true", "yes", ) # Reverse proxy trust configuration # SECURITY: The X-SSL-Client-SHA1 header is trusted for authentication. # This header MUST only come from a trusted reverse proxy that validates # client certificates. Direct access to this app MUST be blocked. # # Set FLASKPASTE_PROXY_SECRET to require the proxy to send a matching # X-Proxy-Secret header, providing defense-in-depth against header spoofing. TRUSTED_PROXY_SECRET = os.environ.get("FLASKPASTE_PROXY_SECRET", "") # Proof-of-work spam prevention # Clients must solve a computational puzzle before paste creation. # Difficulty is number of leading zero bits required in hash (0 = disabled). POW_DIFFICULTY = int(os.environ.get("FLASKPASTE_POW_DIFFICULTY", "20")) POW_CHALLENGE_TTL = int(os.environ.get("FLASKPASTE_POW_TTL", "300")) # 5 minutes # Secret key for signing challenges (auto-generated if not set) POW_SECRET = os.environ.get("FLASKPASTE_POW_SECRET", "") # Registration PoW difficulty (higher than paste creation for security) REGISTER_POW_DIFFICULTY = int(os.environ.get("FLASKPASTE_REGISTER_POW", "24")) # Anti-flood: dynamically increase PoW difficulty under load ANTIFLOOD_ENABLED = os.environ.get("FLASKPASTE_ANTIFLOOD", "1").lower() in ( "1", "true", "yes", ) ANTIFLOOD_WINDOW = int(os.environ.get("FLASKPASTE_ANTIFLOOD_WINDOW", "60")) # seconds ANTIFLOOD_THRESHOLD = int(os.environ.get("FLASKPASTE_ANTIFLOOD_THRESHOLD", "5")) # req/window ANTIFLOOD_STEP = int(os.environ.get("FLASKPASTE_ANTIFLOOD_STEP", "2")) # bits per step ANTIFLOOD_MAX = int(os.environ.get("FLASKPASTE_ANTIFLOOD_MAX", "28")) # max difficulty ANTIFLOOD_DECAY = int(os.environ.get("FLASKPASTE_ANTIFLOOD_DECAY", "60")) # seconds to decay # FLOOD-001: Maximum entries in anti-flood request list (memory DoS protection) ANTIFLOOD_MAX_ENTRIES = int(os.environ.get("FLASKPASTE_ANTIFLOOD_MAX_ENTRIES", "10000")) # URL prefix for reverse proxy deployments (e.g., "/paste" for mymx.me/paste) URL_PREFIX = os.environ.get("FLASKPASTE_URL_PREFIX", "").rstrip("/") # IP-based rate limiting # Limits paste creation per IP address using sliding window RATE_LIMIT_ENABLED = os.environ.get("FLASKPASTE_RATE_LIMIT", "1").lower() in ( "1", "true", "yes", ) RATE_LIMIT_WINDOW = int(os.environ.get("FLASKPASTE_RATE_WINDOW", "60")) # seconds RATE_LIMIT_MAX = int(os.environ.get("FLASKPASTE_RATE_MAX", "10")) # requests per window # Authenticated users get higher limits (multiplier) RATE_LIMIT_AUTH_MULTIPLIER = int(os.environ.get("FLASKPASTE_RATE_AUTH_MULT", "5")) # Maximum unique IPs tracked in rate limit storage (RATE-001: memory DoS protection) RATE_LIMIT_MAX_ENTRIES = int(os.environ.get("FLASKPASTE_RATE_MAX_ENTRIES", "10000")) # RATE-002: Cleanup threshold (0.0-1.0) - trigger cleanup when entries exceed this ratio RATE_LIMIT_CLEANUP_THRESHOLD = float(os.environ.get("FLASKPASTE_RATE_CLEANUP_THRESHOLD", "0.8")) # ENUM-001: Rate limiting for paste lookups (prevents enumeration attacks) # Separate from creation limits - allows more reads but prevents brute-force LOOKUP_RATE_LIMIT_ENABLED = os.environ.get("FLASKPASTE_LOOKUP_RATE_LIMIT", "1").lower() in ( "1", "true", "yes", ) LOOKUP_RATE_LIMIT_WINDOW = int(os.environ.get("FLASKPASTE_LOOKUP_RATE_WINDOW", "60")) LOOKUP_RATE_LIMIT_MAX = int(os.environ.get("FLASKPASTE_LOOKUP_RATE_MAX", "60")) # ENUM-002: Maximum tracked IPs for lookup rate limiting (memory protection) LOOKUP_RATE_LIMIT_MAX_ENTRIES = int( os.environ.get("FLASKPASTE_LOOKUP_RATE_MAX_ENTRIES", "10000") ) # Audit Logging # Track security-relevant events (paste creation, deletion, rate limits, etc.) AUDIT_ENABLED = os.environ.get("FLASKPASTE_AUDIT", "1").lower() in ("1", "true", "yes") AUDIT_RETENTION_DAYS = int(os.environ.get("FLASKPASTE_AUDIT_RETENTION", "90")) # PKI Configuration # Enable PKI endpoints for certificate authority and issuance PKI_ENABLED = os.environ.get("FLASKPASTE_PKI_ENABLED", "0").lower() in ("1", "true", "yes") # CA password for signing operations (REQUIRED when PKI is enabled) PKI_CA_PASSWORD = os.environ.get("FLASKPASTE_PKI_CA_PASSWORD", "") # Default validity period for issued certificates (days) PKI_CERT_DAYS = int(os.environ.get("FLASKPASTE_PKI_CERT_DAYS", "365")) # CA certificate validity period (days) PKI_CA_DAYS = int(os.environ.get("FLASKPASTE_PKI_CA_DAYS", "3650")) # 10 years class DevelopmentConfig(Config): """Development configuration.""" DEBUG = True class ProductionConfig(Config): """Production configuration.""" DEBUG = False class TestingConfig(Config): """Testing configuration.""" TESTING = True DATABASE = ":memory:" # Relaxed dedup for testing (100 per second window) CONTENT_DEDUP_WINDOW = 1 CONTENT_DEDUP_MAX = 100 # Disable PoW for most tests (easier testing) POW_DIFFICULTY = 0 # Relaxed rate limiting for tests RATE_LIMIT_ENABLED = True RATE_LIMIT_WINDOW = 1 RATE_LIMIT_MAX = 100 # Relaxed lookup rate limiting for tests (ENUM-001) LOOKUP_RATE_LIMIT_ENABLED = True LOOKUP_RATE_LIMIT_WINDOW = 1 LOOKUP_RATE_LIMIT_MAX = 1000 # PKI testing configuration PKI_ENABLED = True PKI_CA_PASSWORD = "test-ca-password" PKI_CERT_DAYS = 30 PKI_CA_DAYS = 365 config = { "development": DevelopmentConfig, "production": ProductionConfig, "testing": TestingConfig, "default": DevelopmentConfig, }