sec: CHANGE the pad_id check to only allow ASCII characters #24

main.py

@@ -114,8 +114,8 @@ def generate_deletion_token() -> str:
 
 def validate_paste_id(paste_id: str) -> bool:
     """Validate paste ID to prevent path traversal and other attacks"""
-    # Must be alphanumeric only
-    if not paste_id.isalnum():
+    # Must be ASCII alphanumeric — isalnum() alone accepts Unicode (e.g. 'ñ', '𝟱')
+    if not (paste_id.isascii() and paste_id.isalnum()):
         return False
     # Reasonable length check (prevent extremely long IDs)
     if len(paste_id) > 64:
@@ -321,7 +321,7 @@ async def upload_text(request: Request, authorized: bool = Depends(validate_uplo
 @limiter.limit(RATE_LIMIT)
 async def get_file(paste_id: str, request: Request, token: Optional[str] = None):
     """Get paste content or delete if token is provided"""
-    if not paste_id.isalnum():
+    if not validate_paste_id(paste_id):
         raise HTTPException(status_code=404, detail="Paste not found")
 
     file_location = UPLOAD_DIR / paste_id
@@ -349,7 +349,7 @@ async def delete_paste_endpoint(paste_id: str, request: Request, token: Optional
     user_agent = request.headers.get("User-Agent", "unknown")
 
     # Validate paste_id format
-    if not paste_id.isalnum():
+    if not validate_paste_id(paste_id):
         raise HTTPException(status_code=404, detail="Paste not found")
 
     # Check if token is provided (query param or header)