username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9901649fd7786e953b4b0d0d40ba6dfced21148a
flaskpaste/TODO.md
Username 9901649fd7
Some checks failed
CI / Lint & Format (push) Failing after 16s
Details
CI / Unit Tests (push) Has been skipped
Details
CI / Memory Leak Check (push) Has been skipped
Details
CI / SBOM Generation (push) Has been skipped
Details
CI / Security Scan (push) Failing after 21s
Details
CI / Security Tests (push) Has been skipped
Details
docs: add compression design constraints 
Compression must be paired with encryption (compress-then-encrypt)
to prevent bypassing entropy enforcement via compress-only uploads.
2025-12-25 19:40:34 +01:00

2.4 KiB
Raw Blame History

TODO

Unstructured intake buffer for ideas, issues, and observations. Items here are raw and unrefined. Actionable items should be promoted to TASKLIST.md.

Ideas

  • Paste compression for large text content
    • Must mark compression in URL fragment (e.g., #z:<key> or #<key>:z)
    • Receiver needs to know content is compressed before decryption
    • Design: compress-then-encrypt only (not compress-only)
    • Compressed data has high entropy → bypasses entropy enforcement
    • Must enforce encryption when compression enabled (CLI-side)
  • ETag support for conditional requests
  • Neovim/Vim plugin for editor integration
  • Webhook notifications for paste events
  • Certificate renewal reminder in CLI
  • Admin endpoint for CA key rotation
  • Clipboard integration (pbcopy/xclip)

Observations

  • Shell completions already implemented (fpaste completion --shell bash/zsh/fish)
  • Mypy type errors fixed: now enforced in CI (was informational)
  • CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks
  • Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
  • PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
  • SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)
  • Revoked certificates are soft-deleted (status tracked, not removed)
  • CI pipeline: lint runs parallel with security, tests wait for lint
  • Ruff replaces flake8/isort/pyupgrade with single fast tool
  • Bandit configured for medium+ severity only (-ll flag)
  • PKI audit events now logged: CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE
  • Request duration metrics recorded via Prometheus histogram
  • Memory leak tests use tracemalloc to detect leaks (CI job)
  • Rate limit headers (X-RateLimit-*) on both 201 and 429 responses
  • systemd service unit with security hardening in examples/

Questions

  • Certificate renewal: reissue with same CN or require new request?
  • Should revoked certs be purged after grace period?

Resolved

  • Expired paste cleanup runs in-process via before_request hook (no cron needed)

Debt

  • Could add more deployment examples (Kubernetes, Ansible role)

External Dependencies

  • Consider adding python-magic for better MIME detection (currently magic bytes only)
  • cryptography package required for PKI features (optional otherwise)

Review weekly. Promote actionable items to TASKLIST.md. Archive or delete stale items.

Reference in New Issue View Git Blame Copy Permalink