kolaente
33389bb0b3
test(migration): regression test for forged attachment size
...
Builds an in-memory export zip with a 2 MB payload and a data.json
that claims size: 0, then asserts neither the honest 2 MB row nor
the forged 0-size row ends up in the files table. Covers
GHSA-qh78-rvg3-cv54.
2026-04-09 16:22:56 +00:00
kolaente
abfbcb4cf3
fix(migration): bound per-entry zip cap by configured files.maxsize
...
The hard-coded 500 MB per-entry cap meant operators who set a tighter
files.maxsize could not actually enforce it on imports. Derive the cap
from files.maxsize with a floor so data.json / filters.json / VERSION
entries can still be read when the configured limit is tiny.
Clamp the uint64->int64 conversion and the LimitReader cap so absurd
configuration values do not overflow into MinInt64 and cause
io.LimitReader to treat every entry as EOF.
2026-04-09 16:22:56 +00:00
kolaente
39da47e435
fix: detect and fail on oversized zip entries instead of silent truncation
...
Replace io.LimitReader with a new readZipEntry helper that reads one extra
byte to detect when content exceeds maxZipEntrySize (500MB). This prevents
silent data corruption where partial file bytes would be stored as if the
upload succeeded.
The import now fails with ErrFileTooLarge instead of accepting truncated
content for attachments and background blobs.
2026-02-25 13:01:00 +01:00
kolaente
9d19a04550
fix(migration): use checked type assertion for background file id
2026-02-25 13:01:00 +01:00
kolaente
fc5ab844de
fix(migration): limit zip entry read size to prevent decompression bombs
2026-02-25 13:01:00 +01:00
kolaente
6815cdbda4
fix(migration): reject zip entries with path traversal in vikunja-file import
2026-02-25 13:01:00 +01:00
John Starich
591a646f84
refactor: remove environment variable requirements for go test
2026-02-17 18:01:05 +01:00
kolaente
ca83ad1f98
feat: move to slog for logging
2025-07-21 18:15:39 +02:00
Dominik Pschenitschni
296577a875
fix: correct license header references ( #882 )
...
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
kolaente
d522d40773
fix(migration): do not fail when an attachment is too large
...
Resolves https://vikunja.sentry.io/issues/6389417364/events/d79bdea146b54a9dace8c81e3f787975/
2025-03-21 18:03:27 +01:00
kolaente
3d5d17336e
fix(migration): return proper error when uploaded file is not a zip file
...
Resolves https://vikunja.sentry.io/share/issue/73a7b6f60b3e446e949d072016f31c22/
2025-01-09 14:32:24 +01:00
kolaente
ebfd5f54d2
fix(migration): ensure project background gets exported and imported
2024-08-12 17:18:07 +02:00
kolaente
ec6e3e99e0
chore: check if import zip contains a VERSION file
2024-01-14 22:21:55 +01:00
kolaente
c05f51b923
chore(deps): update golangci-lint rules
2023-12-19 13:34:31 +01:00
kolaente
b2f3a23cb3
fix(import): correctly set child project relations
2023-09-07 10:45:15 +02:00
kolaente
ce3a06f03b
fix(import): don't fail when importing from dev exports
2023-09-07 10:11:59 +02:00
kolaente
e518fb1191
chore: remove year from copyright headers
...
Resolves https://kolaente.dev/vikunja/api/pulls/1483
2023-09-01 08:32:28 +02:00
kolaente
4b55e2ce03
fix(migration): make file migration work with new structure
2023-05-24 15:51:56 +02:00
kolaente
afe756e4c1
fix(tests): make the tests compile again
2023-05-24 15:51:55 +02:00
kolaente
386e218b95
feat(migration): use new structure for migration
2023-05-24 15:51:54 +02:00
Dominik Pschenitschni
8edbca39cf
fix: accept for migrations
2023-04-03 05:20:18 +00:00
kolaente
823c817b1f
fix(import): don't try to load a nonexistant attachment file
2023-03-26 15:42:25 +02:00
kolaente
fb818ea186
fix: test import
2023-03-13 14:28:06 +01:00
kolaente
349e6a5905
feat: rename lists to projects
2023-03-13 14:28:06 +01:00
kolaente
5cf263a86f
feat: upgrade golangci-lint to 1.45.2
2022-03-27 16:55:37 +02:00
konrad
90146aea5b
User Data Export and import ( #967 )
...
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/967
Co-authored-by: konrad <k@knt.li>
Co-committed-by: konrad <k@knt.li>
2021-09-04 19:26:31 +00:00