v0.12.3 — Security & correctness bug fixes (33 bugs)
CRITICAL: 10 data race and security fixes — backup.go mutex coverage (C1-C4), IsSystemDisk 12-bit major/minor (C5), /dev/ path validation (C6), extractName traversal (C7), TargetPath/DestinationPath against registered paths (C8-C9), ParseComposeHDDMounts Clean-before-prefix (C10). HIGH: 17 logic/resource fixes — ValidateDump bufio.Scanner (H1), single appDirSize() with 30s timeout (H2/H3), snapshot ID regex (H4), cross-drive restic prune (H5), temp file order (H6), dirSizeBytes errors (H7), atomic fstab (H8), IsDeviceMounted suffix check (H9), eMMC partition mapping (H10), bytesCopied mutex (H11), separator-aware migrate prefix (H13), DeleteStack error on compose-down (H14), docker 60s timeout (H16), NotificationPrefs deep-copy (H17), wipefs warning (H18), fstab rollback on mount fail (H19). MEDIUM: 7 code quality fixes — formatBytes dedup (M1), .tmp filter order (M2), sizeBytes string type (M3), elapsed in message (M6), LoadLocation fallback (M7), pathCovers separator (M10), cancelEditLabel textContent (M11). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
package web
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
@@ -446,7 +447,11 @@ func (s *Server) backupsHandler(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
if cfg.LastRun != "" {
|
||||
if t, err := time.Parse(time.RFC3339, cfg.LastRun); err == nil {
|
||||
loc, _ := time.LoadLocation("Europe/Budapest")
|
||||
// M7: Handle LoadLocation error — fall back to UTC if tzdata missing.
|
||||
loc, err := time.LoadLocation("Europe/Budapest")
|
||||
if err != nil {
|
||||
loc = time.UTC
|
||||
}
|
||||
item.LastRunShort = t.In(loc).Format("01-02 15:04")
|
||||
}
|
||||
}
|
||||
@@ -538,7 +543,11 @@ func (s *Server) buildAppBackupRows(
|
||||
crossConfigs map[string]*settings.CrossDriveBackup,
|
||||
destLabels map[string]string,
|
||||
) []AppBackupRow {
|
||||
loc, _ := time.LoadLocation("Europe/Budapest")
|
||||
// M7: Handle LoadLocation error — fall back to UTC if tzdata missing.
|
||||
loc, err := time.LoadLocation("Europe/Budapest")
|
||||
if err != nil {
|
||||
loc = time.UTC
|
||||
}
|
||||
|
||||
// Build a quick lookup: which stacks have a DB dump?
|
||||
dbStacks := make(map[string]bool)
|
||||
@@ -1243,8 +1252,10 @@ func (s *Server) syncFileBrowserMounts() {
|
||||
return
|
||||
}
|
||||
|
||||
// Recreate container
|
||||
cmd := exec.Command("docker", "compose", "up", "-d", "--remove-orphans")
|
||||
// Recreate container — H16: use 60s timeout to prevent hanging indefinitely.
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
|
||||
defer cancel()
|
||||
cmd := exec.CommandContext(ctx, "docker", "compose", "up", "-d", "--remove-orphans")
|
||||
cmd.Dir = filepath.Dir(composePath)
|
||||
if out, err := cmd.CombinedOutput(); err != nil {
|
||||
s.logger.Printf("[ERROR] Failed to recreate FileBrowser: %s — %v", string(out), err)
|
||||
|
||||
@@ -409,6 +409,20 @@ func (s *Server) storageMigrateAPIHandler(w http.ResponseWriter, r *http.Request
|
||||
return
|
||||
}
|
||||
|
||||
// C8: Validate TargetPath against registered storage paths to prevent path traversal.
|
||||
registeredPaths := s.settings.GetStoragePaths()
|
||||
validTarget := false
|
||||
for _, sp := range registeredPaths {
|
||||
if req.TargetPath == sp.Path {
|
||||
validTarget = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !validTarget {
|
||||
jsonError(w, "Érvénytelen célútvonal: nem regisztrált adattároló", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
mounts := stacks.ParseComposeHDDMounts(stack.ComposePath, currentHDDPath)
|
||||
if len(mounts) == 0 {
|
||||
jsonError(w, "Az alkalmazáshoz nem találhatók HDD csatlakozások", http.StatusBadRequest)
|
||||
|
||||
@@ -291,8 +291,20 @@ function editStorageLabel(path, currentLabel) {
|
||||
function cancelEditLabel(path, label) {
|
||||
var wrap = document.getElementById('label-wrap-' + path);
|
||||
if (!wrap) return;
|
||||
wrap.innerHTML = '<span class="storage-path-label" id="label-display-' + path + '">' + label + '</span>' +
|
||||
' <button class="btn btn-xs btn-ghost" onclick="editStorageLabel(\'' + path + '\', \'' + label.replace(/'/g, "\\'") + '\')" title="Átnevezés">✏️</button>';
|
||||
// M11: Use DOM manipulation with textContent to prevent XSS if label contains HTML.
|
||||
wrap.innerHTML = '';
|
||||
var span = document.createElement('span');
|
||||
span.className = 'storage-path-label';
|
||||
span.id = 'label-display-' + path;
|
||||
span.textContent = label;
|
||||
var btn = document.createElement('button');
|
||||
btn.className = 'btn btn-xs btn-ghost';
|
||||
btn.setAttribute('title', 'Átnevezés');
|
||||
btn.textContent = '✏️';
|
||||
btn.addEventListener('click', function() { editStorageLabel(path, label); });
|
||||
wrap.appendChild(span);
|
||||
wrap.appendChild(document.createTextNode(' '));
|
||||
wrap.appendChild(btn);
|
||||
}
|
||||
</script>
|
||||
{{template "layout_end" .}}
|
||||
|
||||
Reference in New Issue
Block a user