v0.12.3 — Security & correctness bug fixes (33 bugs)

CRITICAL: 10 data race and security fixes — backup.go mutex coverage
(C1-C4), IsSystemDisk 12-bit major/minor (C5), /dev/ path validation
(C6), extractName traversal (C7), TargetPath/DestinationPath against
registered paths (C8-C9), ParseComposeHDDMounts Clean-before-prefix (C10).

HIGH: 17 logic/resource fixes — ValidateDump bufio.Scanner (H1), single
appDirSize() with 30s timeout (H2/H3), snapshot ID regex (H4), cross-drive
restic prune (H5), temp file order (H6), dirSizeBytes errors (H7), atomic
fstab (H8), IsDeviceMounted suffix check (H9), eMMC partition mapping (H10),
bytesCopied mutex (H11), separator-aware migrate prefix (H13), DeleteStack
error on compose-down (H14), docker 60s timeout (H16), NotificationPrefs
deep-copy (H17), wipefs warning (H18), fstab rollback on mount fail (H19).

MEDIUM: 7 code quality fixes — formatBytes dedup (M1), .tmp filter order
(M2), sizeBytes string type (M3), elapsed in message (M6), LoadLocation
fallback (M7), pathCovers separator (M10), cancelEditLabel textContent (M11).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

controller/internal/api/router.go

@@ -473,13 +473,14 @@ func (r *Router) backupSnapshots(w http.ResponseWriter, req *http.Request) {
 
 // filterSnapshotsByPaths returns only snapshots whose Paths overlap with requiredPaths.
 // A snapshot matches if any of its paths is a prefix of (or prefixed by) any required path.
+// M10: Uses separator-aware prefix check to prevent /mnt/hdd_1 matching /mnt/hdd_10/data.
 func filterSnapshotsByPaths(snapshots []backup.SnapshotInfo, requiredPaths []string) []backup.SnapshotInfo {
 	var filtered []backup.SnapshotInfo
 outer:
 	for _, snap := range snapshots {
 		for _, required := range requiredPaths {
 			for _, sp := range snap.Paths {
-				if strings.HasPrefix(required, sp) || strings.HasPrefix(sp, required) {
+				if pathCovers(required, sp) || pathCovers(sp, required) {
 					filtered = append(filtered, snap)
 					continue outer
 				}
@@ -489,6 +490,14 @@ outer:
 	return filtered
 }
 
+// pathCovers returns true if base is equal to or a directory-prefix of target.
+func pathCovers(base, target string) bool {
+	if base == target {
+		return true
+	}
+	return strings.HasPrefix(target, strings.TrimRight(base, "/")+"/")
+}
+
 // --- Metrics handlers ---
 
 func (r *Router) metricsSystem(w http.ResponseWriter, req *http.Request) {
@@ -612,6 +621,21 @@ func (r *Router) saveCrossBackupConfig(w http.ResponseWriter, req *http.Request,
 		writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "schedule must be 'daily', 'weekly', or 'manual'"})
 		return
 	}
+	// C9: Validate DestinationPath against registered storage paths to prevent path traversal.
+	if body.Enabled && body.DestinationPath != "" {
+		registeredPaths := r.sett.GetStoragePaths()
+		validDest := false
+		for _, sp := range registeredPaths {
+			if body.DestinationPath == sp.Path {
+				validDest = true
+				break
+			}
+		}
+		if !validDest {
+			writeJSON(w, http.StatusBadRequest, apiResponse{OK: false, Error: "destination_path must be a registered storage path"})
+			return
+		}
+	}
 
 	// Preserve existing runtime status
 	existing := r.sett.GetCrossDriveConfig(name)
@@ -768,7 +792,12 @@ func trimSegment(path, prefix string) string {
 
 func extractName(path, suffix string) string {
 	s := strings.TrimPrefix(path, "/stacks/")
-	return strings.TrimSuffix(s, suffix)
+	name := strings.TrimSuffix(s, suffix)
+	// C7: Reject path traversal characters — name is used in file paths and Docker commands.
+	if name == "" || name == "." || name == ".." || strings.ContainsAny(name, "/\\") {
+		return ""
+	}
+	return name
 }
 
 func writeJSON(w http.ResponseWriter, status int, v interface{}) {