From 0d6e3244b13d63fd1351905b4061af48ceb8869b Mon Sep 17 00:00:00 2001
From: CaffeineFueled <hello@uphillsecurity.com>
Date: Mon, 25 May 2026 13:34:48 +0200
Subject: [PATCH] sec: CHANGE the pad_id check to only allow ASCII characters
 #24

---
 main.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/main.py b/main.py
index 4438d10..ec37f11 100644
--- a/main.py
+++ b/main.py
@@ -114,8 +114,8 @@ def generate_deletion_token() -> str:
 
 def validate_paste_id(paste_id: str) -> bool:
     """Validate paste ID to prevent path traversal and other attacks"""
-    # Must be alphanumeric only
-    if not paste_id.isalnum():
+    # Must be ASCII alphanumeric — isalnum() alone accepts Unicode (e.g. 'ñ', '𝟱')
+    if not (paste_id.isascii() and paste_id.isalnum()):
         return False
     # Reasonable length check (prevent extremely long IDs)
     if len(paste_id) > 64:
@@ -321,7 +321,7 @@ async def upload_text(request: Request, authorized: bool = Depends(validate_uplo
 @limiter.limit(RATE_LIMIT)
 async def get_file(paste_id: str, request: Request, token: Optional[str] = None):
     """Get paste content or delete if token is provided"""
-    if not paste_id.isalnum():
+    if not validate_paste_id(paste_id):
         raise HTTPException(status_code=404, detail="Paste not found")
 
     file_location = UPLOAD_DIR / paste_id
@@ -349,7 +349,7 @@ async def delete_paste_endpoint(paste_id: str, request: Request, token: Optional
     user_agent = request.headers.get("User-Agent", "unknown")
 
     # Validate paste_id format
-    if not paste_id.isalnum():
+    if not validate_paste_id(paste_id):
         raise HTTPException(status_code=404, detail="Paste not found")
 
     # Check if token is provided (query param or header)