764b831bb0
Some checks failed
CI / Lint & Format (push) Failing after 16s
CI / Unit Tests (push) Has been skipped
CI / Memory Leak Check (push) Has been skipped
CI / SBOM Generation (push) Has been skipped
CI / Security Scan (push) Failing after 22s
CI / Security Tests (push) Has been skipped
Add detection for: - Images: BMP, TIFF, ICO - Video: MP4, WebM, FLV, Matroska - Audio: MP3, FLAC, OGG - Documents: MS Office OLE (DOC/XLS/PPT) - Executables: PE (EXE/DLL), ELF, Mach-O, WASM - Archives: BZIP2, XZ, ZSTD, LZ4, 7z, RAR - Data: SQLite This improves REQUIRE_BINARY enforcement by detecting more recognizable formats that should be encrypted before upload.
62 lines
2.5 KiB
Markdown
62 lines
2.5 KiB
Markdown
# TODO
|
|
|
|
Unstructured intake buffer for ideas, issues, and observations. Items here are raw and unrefined. Actionable items should be promoted to TASKLIST.md.
|
|
|
|
---
|
|
|
|
## Ideas
|
|
|
|
- Paste compression for large text content
|
|
- Must mark compression in URL fragment (e.g., `#z:<key>` or `#<key>:z`)
|
|
- Receiver needs to know content is compressed before decryption
|
|
- Design: compress-then-encrypt only (not compress-only)
|
|
- Compressed data has high entropy → bypasses entropy enforcement
|
|
- Must enforce encryption when compression enabled (CLI-side)
|
|
- Server detects compression formats via magic bytes (REQUIRE_BINARY)
|
|
- ETag support for conditional requests
|
|
- Neovim/Vim plugin for editor integration
|
|
- Webhook notifications for paste events
|
|
- Certificate renewal reminder in CLI
|
|
- Admin endpoint for CA key rotation
|
|
- Clipboard integration (pbcopy/xclip)
|
|
|
|
## Observations
|
|
|
|
- Shell completions already implemented (`fpaste completion --shell bash/zsh/fish`)
|
|
- Mypy type errors fixed: now enforced in CI (was informational)
|
|
- CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks
|
|
- Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
|
|
- PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
|
|
- SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)
|
|
- Revoked certificates are soft-deleted (status tracked, not removed)
|
|
- CI pipeline: lint runs parallel with security, tests wait for lint
|
|
- Ruff replaces flake8/isort/pyupgrade with single fast tool
|
|
- Bandit configured for medium+ severity only (-ll flag)
|
|
- PKI audit events now logged: CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE
|
|
- Request duration metrics recorded via Prometheus histogram
|
|
- Memory leak tests use tracemalloc to detect leaks (CI job)
|
|
- Rate limit headers (X-RateLimit-*) on both 201 and 429 responses
|
|
- systemd service unit with security hardening in examples/
|
|
|
|
## Questions
|
|
|
|
- Certificate renewal: reissue with same CN or require new request?
|
|
- Should revoked certs be purged after grace period?
|
|
|
|
## Resolved
|
|
|
|
- Expired paste cleanup runs in-process via before_request hook (no cron needed)
|
|
|
|
## Debt
|
|
|
|
- Could add more deployment examples (Kubernetes, Ansible role)
|
|
|
|
## External Dependencies
|
|
|
|
- Consider adding `python-magic` for better MIME detection (currently magic bytes only)
|
|
- cryptography package required for PKI features (optional otherwise)
|
|
|
|
---
|
|
|
|
*Review weekly. Promote actionable items to TASKLIST.md. Archive or delete stale items.*
|