v0.12.3 — Security & correctness bug fixes (33 bugs)

CRITICAL: 10 data race and security fixes — backup.go mutex coverage
(C1-C4), IsSystemDisk 12-bit major/minor (C5), /dev/ path validation
(C6), extractName traversal (C7), TargetPath/DestinationPath against
registered paths (C8-C9), ParseComposeHDDMounts Clean-before-prefix (C10).

HIGH: 17 logic/resource fixes — ValidateDump bufio.Scanner (H1), single
appDirSize() with 30s timeout (H2/H3), snapshot ID regex (H4), cross-drive
restic prune (H5), temp file order (H6), dirSizeBytes errors (H7), atomic
fstab (H8), IsDeviceMounted suffix check (H9), eMMC partition mapping (H10),
bytesCopied mutex (H11), separator-aware migrate prefix (H13), DeleteStack
error on compose-down (H14), docker 60s timeout (H16), NotificationPrefs
deep-copy (H17), wipefs warning (H18), fstab rollback on mount fail (H19).

MEDIUM: 7 code quality fixes — formatBytes dedup (M1), .tmp filter order
(M2), sizeBytes string type (M3), elapsed in message (M6), LoadLocation
fallback (M7), pathCovers separator (M10), cancelEditLabel textContent (M11).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

controller/internal/storage/format_linux.go

@@ -36,6 +36,13 @@ func FormatAndMount(req FormatRequest, progress chan<- FormatProgress) (string,
 	if err := ValidateMountName(req.MountName); err != nil {
 		return "", fail("validating", "Érvénytelen csatlakoztatási név", err)
 	}
+	// C6: Validate DevicePath to prevent path traversal from user-supplied input.
+	if !strings.HasPrefix(req.DevicePath, "/dev/") {
+		return "", fail("validating", "Érvénytelen eszközútvonal: /dev/-vel kell kezdődnie", fmt.Errorf("invalid device path: must start with /dev/"))
+	}
+	if strings.Contains(req.DevicePath, "..") {
+		return "", fail("validating", "Érvénytelen eszközútvonal: nem tartalmazhat ..-t", fmt.Errorf("invalid device path: must not contain .."))
+	}
 	if _, err := os.Stat(HostDevicePath(req.DevicePath)); err != nil {
 		return "", fail("validating", "Az eszköz nem létezik: "+req.DevicePath, err)
 	}
@@ -70,8 +77,12 @@ func FormatAndMount(req FormatRequest, progress chan<- FormatProgress) (string,
 	partDev := req.DevicePath
 	if req.CreatePartition {
 		// Wipe existing partition table and filesystem signatures first
+		// H18: Log wipefs errors instead of silently discarding them.
 		send("partitioning", fmt.Sprintf("wipefs -a %s ...", HostDevicePath(req.DevicePath)), 12)
-		_ = exec.Command("wipefs", "-a", HostDevicePath(req.DevicePath)).Run()
+		if err := exec.Command("wipefs", "-a", HostDevicePath(req.DevicePath)).Run(); err != nil {
+			// Non-fatal: some systems don't have wipefs; continue anyway
+			send("partitioning", fmt.Sprintf("[WARN] wipefs sikertelen %s: %v (folytatás)", req.DevicePath, err), 13)
+		}
 		time.Sleep(500 * time.Millisecond)
 
 		// Create GPT with single partition spanning whole disk.
@@ -146,12 +157,16 @@ func FormatAndMount(req FormatRequest, progress chan<- FormatProgress) (string,
 	send("mounting", fmt.Sprintf("mount -t ext4 %s %s ...", HostDevicePath(partDev), mountPath), 70)
 	if out, err := exec.Command("mount", "-t", "ext4", "-o", "defaults,noatime",
 		HostDevicePath(partDev), mountPath).CombinedOutput(); err != nil {
+		// H19: Roll back fstab entry to prevent orphaned entry that hangs system on reboot.
+		_ = RemoveFstabEntry(FstabPath, uuid)
 		return "", fail("mounting", "Csatlakoztatás sikertelen: "+string(out), err)
 	}
 
 	// Verify mount actually worked (don't just trust exit code)
 	verifyOut, verifyErr := exec.Command("findmnt", "-n", "-o", "SOURCE", "--target", mountPath).Output()
 	if verifyErr != nil || strings.TrimSpace(string(verifyOut)) == "" {
+		// H19: Also roll back fstab if mount verify fails.
+		_ = RemoveFstabEntry(FstabPath, uuid)
 		return "", fail("mounting", "A csatlakoztatás nem ellenőrizhető: mount sikerült, de a meghajtó nem látható",
 			fmt.Errorf("mount point %s not found after mount", mountPath))
 	}

controller/internal/storage/migrate.go

@@ -124,8 +124,9 @@ func MigrateAppData(
 	// --- Step 3: rsync ---
 	var bytesCopied int64
 	for i, srcPath := range req.HDDMounts {
-		// Determine destination path: replace CurrentHDDPath prefix with TargetPath
-		if !strings.HasPrefix(srcPath, req.CurrentHDDPath) {
+		// Determine destination path: replace CurrentHDDPath prefix with TargetPath.
+		// H13: Require trailing separator to prevent /mnt/hdd matching /mnt/hdd_backup/data.
+		if srcPath != req.CurrentHDDPath && !strings.HasPrefix(srcPath, req.CurrentHDDPath+"/") {
 			continue
 		}
 		relPath := strings.TrimPrefix(srcPath, req.CurrentHDDPath)
@@ -173,11 +174,10 @@ func MigrateAppData(
 		return fail("starting", "Alkalmazás indítása sikertelen az új tárolóról", err)
 	}
 
-	elapsed := int(time.Since(start).Seconds())
 	send("done",
-		fmt.Sprintf("Áthelyezés kész! Az alkalmazás az új tárolóról fut. (Régi adat: %s)", req.CurrentHDDPath),
+		fmt.Sprintf("Áthelyezés kész! Az alkalmazás az új tárolóról fut. (Régi adat: %s, idő: %ds)",
+			req.CurrentHDDPath, int(time.Since(start).Seconds())),
 		100, bytesCopied, totalBytes)
-	_ = elapsed
 
 	return nil
 }
@@ -240,7 +240,11 @@ func runRsync(srcPath, dstPath string, totalBytes, prevCopied int64, basePct int
 	io.Copy(&stderrBuf, stderr)
 
 	if err := cmd.Wait(); err != nil {
-		return bytesCopied, fmt.Errorf("rsync failed: %w — %s", err, stderrBuf.String())
+		// H11: Read bytesCopied under lock to avoid data race with the progress goroutine.
+		mu.Lock()
+		copied := bytesCopied
+		mu.Unlock()
+		return copied, fmt.Errorf("rsync failed: %w — %s", err, stderrBuf.String())
 	}
 
 	mu.Lock()

controller/internal/storage/safety_linux.go

@@ -9,6 +9,8 @@ import (
 	"strings"
 	"syscall"
 	"time"
+
+	"golang.org/x/sys/unix"
 )
 
 // IsSystemDisk checks if the given device path overlaps with the root filesystem device.
@@ -26,14 +28,22 @@ func IsSystemDisk(devicePath string) (bool, error) {
 		return false, fmt.Errorf("cannot stat %s: %w", devicePath, err)
 	}
 
-	// Compare major device numbers
-	rootMajor := rootStat.Dev >> 8 & 0xff
-	devMajor := devStat.Rdev >> 8 & 0xff
-	if rootMajor == devMajor {
-		return true, nil
-	}
+	// C5: Use unix.Major/Minor for correct 12-bit extraction (old 0xff mask truncated high bits).
+	// Also compare the disk portion of the minor to distinguish separate physical disks of the
+	// same type (e.g., sda and sdb both have major 8, but different disk-minor groups of 16).
+	rootMajor := unix.Major(rootStat.Dev)
+	rootMinor := unix.Minor(rootStat.Dev)
+	devMajor := unix.Major(devStat.Rdev)
+	devMinor := unix.Minor(devStat.Rdev)
 
-	return false, nil
+	if rootMajor != devMajor {
+		return false, nil
+	}
+	// Same major — compare disk groups (each disk gets 16 minor numbers on SCSI/SATA,
+	// e.g., sda=0-15, sdb=16-31; NVMe uses similar grouping).
+	rootDiskGroup := rootMinor / 16
+	devDiskGroup := devMinor / 16
+	return rootDiskGroup == devDiskGroup, nil
 }
 
 // IsDeviceMounted checks if a device or any of its partitions is currently mounted.
@@ -51,9 +61,17 @@ func IsDeviceMounted(devicePath string) (bool, error) {
 		}
 		dev := fields[0]
 		devBase := filepath.Base(dev)
-		if devBase == base || strings.HasPrefix(devBase, base) {
+		// H9: Require exact match or that the suffix after base is a digit or 'p' (partition marker).
+		// Prevents /dev/sdb matching /dev/sdba (hypothetical device) or /dev/sdb_backup (bind).
+		if devBase == base {
 			return true, nil
 		}
+		if strings.HasPrefix(devBase, base) {
+			next := devBase[len(base)]
+			if next >= '0' && next <= '9' || next == 'p' {
+				return true, nil
+			}
+		}
 	}
 	return false, nil
 }
@@ -87,16 +105,53 @@ func BackupFstab(fstabPath string) error {
 	return os.WriteFile(backupPath, data, 0644)
 }
 
-// AppendFstabEntry appends a UUID-based fstab entry.
+// AppendFstabEntry appends a UUID-based fstab entry atomically (write tmp + rename).
+// H8: Direct write to /etc/fstab risks corruption on crash — use atomic write pattern.
 func AppendFstabEntry(fstabPath, uuid, mountPoint, fsType, options string) error {
-	entry := fmt.Sprintf("\nUUID=%s\t%s\t%s\t%s\t0 2\n", uuid, mountPoint, fsType, options)
-	f, err := os.OpenFile(fstabPath, os.O_APPEND|os.O_WRONLY, 0644)
-	if err != nil {
-		return fmt.Errorf("cannot open fstab for writing: %w", err)
+	// Read existing content
+	existing, err := os.ReadFile(fstabPath)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("cannot read fstab: %w", err)
 	}
-	defer f.Close()
-	if _, err := f.WriteString(entry); err != nil {
-		return fmt.Errorf("cannot write fstab entry: %w", err)
+
+	entry := fmt.Sprintf("\nUUID=%s\t%s\t%s\t%s\t0 2\n", uuid, mountPoint, fsType, options)
+	newContent := append(existing, []byte(entry)...)
+
+	// Write to .tmp then rename — atomic on same filesystem
+	tmpPath := fstabPath + ".tmp"
+	if err := os.WriteFile(tmpPath, newContent, 0644); err != nil {
+		return fmt.Errorf("cannot write fstab tmp file: %w", err)
+	}
+	if err := os.Rename(tmpPath, fstabPath); err != nil {
+		os.Remove(tmpPath)
+		return fmt.Errorf("cannot rename fstab tmp file: %w", err)
+	}
+	return nil
+}
+
+// RemoveFstabEntry removes any line containing the given UUID from fstab, atomically.
+// H19: Called as rollback if mount fails after fstab was written.
+func RemoveFstabEntry(fstabPath, uuid string) error {
+	data, err := os.ReadFile(fstabPath)
+	if err != nil {
+		return fmt.Errorf("cannot read fstab: %w", err)
+	}
+
+	var kept []string
+	for _, line := range strings.Split(string(data), "\n") {
+		if !strings.Contains(line, "UUID="+uuid) {
+			kept = append(kept, line)
+		}
+	}
+	newContent := strings.Join(kept, "\n")
+
+	tmpPath := fstabPath + ".tmp"
+	if err := os.WriteFile(tmpPath, []byte(newContent), 0644); err != nil {
+		return fmt.Errorf("cannot write fstab tmp file: %w", err)
+	}
+	if err := os.Rename(tmpPath, fstabPath); err != nil {
+		os.Remove(tmpPath)
+		return fmt.Errorf("cannot rename fstab tmp file: %w", err)
 	}
 	return nil
 }

controller/internal/storage/scan_linux.go

@@ -34,6 +34,10 @@ func (d *lsblkDevice) sizeBytes() int64 {
 	switch v := d.Size.(type) {
 	case float64:
 		return int64(v)
+	case string:
+		// M3: lsblk can return size as a string on some kernel versions.
+		n, _ := strconv.ParseUint(v, 10, 64)
+		return int64(n)
 	}
 	return 0
 }
@@ -157,18 +161,29 @@ func getSystemDiskNames() map[string]bool {
 }
 
 // partitionToParentDisk extracts the parent disk name from a partition device path.
-// "/dev/sda2" → "sda", "/dev/nvme0n1p2" → "nvme0n1"
+// "/dev/sda2" → "sda", "/dev/nvme0n1p2" → "nvme0n1", "/dev/mmcblk0p1" → "mmcblk0"
 func partitionToParentDisk(devPath string) string {
 	name := filepath.Base(devPath)
 
-	// NVMe: nvme0n1p2 → nvme0n1
-	if strings.Contains(name, "nvme") {
-		if idx := strings.LastIndex(name, "p"); idx > 0 {
-			if _, err := strconv.Atoi(name[idx+1:]); err == nil {
-				return name[:idx]
+	// H10: Handle mmcblk0p1 and nvme0n1p1 patterns where 'p' separates disk# from partition#.
+	// The prefix before 'p' must end with a digit (e.g., mmcblk0, nvme0n1) to be a disk number.
+	if idx := strings.LastIndex(name, "p"); idx > 0 {
+		prefix := name[:idx]
+		suffix := name[idx+1:]
+		if len(suffix) > 0 && suffix[0] >= '0' && suffix[0] <= '9' &&
+			len(prefix) > 0 && prefix[len(prefix)-1] >= '0' && prefix[len(prefix)-1] <= '9' {
+			// Verify suffix is all digits (partition number, not part of device name)
+			allDigits := true
+			for _, c := range suffix {
+				if c < '0' || c > '9' {
+					allDigits = false
+					break
+				}
+			}
+			if allDigits {
+				return prefix // e.g., mmcblk0, nvme0n1
 			}
 		}
-		return name
 	}
 
 	// Standard: sda2 → sda, sdb1 → sdb