username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3a76453828a2de3fcf6b7fe8e713b4f29ed4103c
flaskpaste/tests/test_cli_security.py
Username 3a76453828
Some checks failed
CI / Lint & Format (push) Failing after 17s
Details
CI / Tests (push) Has been skipped
Details
CI / Memory Leak Check (push) Has been skipped
Details
CI / Security Scan (push) Successful in 23s
Details
security: implement CRYPTO-001 and TIMING-001 remediations 
CRYPTO-001: Certificate serial collision detection
- Add _generate_unique_serial() helper for database-backed PKI
- Add _generate_unique_serial() method for in-memory PKI class
- Check database for existing serial before certificate issuance
- Retry with new random serial if collision detected (max 5 attempts)

TIMING-001: Constant-time database lookups for sensitive queries
- Add dummy PBKDF2 verification when paste not found
- Prevents timing-based enumeration (attackers can't distinguish
  'not found' from 'wrong password' by measuring response time)
2025-12-24 23:28:16 +01:00

97 lines
4.3 KiB
Python
Raw Blame History

"""Tests for CLI security features (CLI-001: clipboard tool validation)."""
import importlib.machinery
import importlib.util
import sys
from pathlib import Path
from unittest.mock import patch
import pytest
def load_fpaste_module():
"""Load the fpaste script as a module."""
fpaste_path = Path(__file__).parent.parent / "fpaste"
spec = importlib.util.spec_from_loader(
"fpaste",
importlib.machinery.SourceFileLoader("fpaste", str(fpaste_path)),
)
if spec is None or spec.loader is None:
pytest.skip("Could not load fpaste module")
fpaste = importlib.util.module_from_spec(spec)
sys.modules["fpaste"] = fpaste
spec.loader.exec_module(fpaste)
return fpaste
class TestClipboardPathValidation:
"""Tests for CLI-001: clipboard tool path validation."""
@pytest.fixture
def fpaste(self):
"""Load fpaste module."""
return load_fpaste_module()
def test_trusted_unix_paths(self, fpaste):
"""Paths in trusted Unix directories should be accepted."""
assert fpaste.is_trusted_clipboard_path("/usr/bin/xclip") is True
assert fpaste.is_trusted_clipboard_path("/usr/local/bin/xsel") is True
assert fpaste.is_trusted_clipboard_path("/bin/cat") is True
assert fpaste.is_trusted_clipboard_path("/opt/homebrew/bin/pbcopy") is True
def test_untrusted_unix_paths(self, fpaste):
"""Paths in user-writable directories should be rejected."""
assert fpaste.is_trusted_clipboard_path("/home/user/bin/xclip") is False
assert fpaste.is_trusted_clipboard_path("/tmp/xclip") is False # noqa: S108
assert fpaste.is_trusted_clipboard_path("/var/tmp/malicious") is False # noqa: S108
assert fpaste.is_trusted_clipboard_path("./xclip") is False
assert fpaste.is_trusted_clipboard_path("") is False
def test_none_path_rejected(self, fpaste):
"""None path should be rejected."""
# is_trusted_clipboard_path should handle None gracefully
assert fpaste.is_trusted_clipboard_path(None) is False
@pytest.mark.skipif(sys.platform != "win32", reason="Windows path tests only run on Windows")
def test_trusted_windows_paths(self, fpaste):
"""Paths in trusted Windows directories should be accepted."""
# Test Windows paths (case-insensitive)
assert fpaste.is_trusted_clipboard_path("C:\\Windows\\System32\\clip.exe") is True
assert fpaste.is_trusted_clipboard_path("C:\\WINDOWS\\SYSTEM32\\clip.exe") is True
assert fpaste.is_trusted_clipboard_path("C:\\Program Files\\tool.exe") is True
def test_untrusted_windows_paths(self, fpaste):
"""Paths in user-writable Windows directories should be rejected."""
assert fpaste.is_trusted_clipboard_path("C:\\Users\\user\\xclip.exe") is False
assert fpaste.is_trusted_clipboard_path("C:\\Temp\\malicious.exe") is False
def test_find_clipboard_command_rejects_untrusted(self, fpaste):
"""find_clipboard_command should reject tools in untrusted paths."""
with patch("shutil.which") as mock_which:
# Untrusted path should be rejected
mock_which.return_value = "/tmp/malicious/xclip" # noqa: S108
result = fpaste.find_clipboard_command(fpaste.CLIPBOARD_READ_COMMANDS)
assert result is None
def test_find_clipboard_command_accepts_trusted(self, fpaste):
"""find_clipboard_command should accept tools in trusted paths."""
with patch("shutil.which") as mock_which:
# Trusted path should be accepted
mock_which.return_value = "/usr/bin/xclip"
result = fpaste.find_clipboard_command(fpaste.CLIPBOARD_READ_COMMANDS)
assert result is not None
assert result[0] == "/usr/bin/xclip"
def test_find_clipboard_uses_absolute_path(self, fpaste):
"""find_clipboard_command should use absolute paths."""
with patch("shutil.which") as mock_which:
mock_which.return_value = "/usr/bin/xclip"
result = fpaste.find_clipboard_command(fpaste.CLIPBOARD_READ_COMMANDS)
# Should use absolute path, not just tool name
assert result[0] == "/usr/bin/xclip"
# Rest of command args should be preserved
assert "-selection" in result
assert "clipboard" in result
Reference in New Issue View Git Blame Copy Permalink