Commit Graph

33 Commits

Author SHA1 Message Date
kolaente bbe1a2bbd0 refactor(utils): extract ContainsPathTraversal to shared utils package 2026-02-25 13:01:00 +01:00
kolaente c2cf5ba1c5 fix(restore): validate migration data before wiping database
Move archive validation (migration file existence and slice bounds
check) before the database wipe. Previously a malformed archive
would first destroy the database and then panic, leaving the
instance in an irrecoverable state with total data loss.

Now the migration data is fully parsed and validated before any
destructive operations occur.
2026-02-25 13:01:00 +01:00
kolaente 3c0ea7099e fix(restore): validate database file names in zip archive
Check that database entries in the zip have a .json suffix and a
non-empty base name before slicing the extension off. This prevents
a panic from index-out-of-range when the filename is too short.
Also use TrimPrefix instead of ReplaceAll for correctness.
2026-02-25 13:01:00 +01:00
kolaente 7971500467 fix(restore): sanitize config file path to prevent zip slip
Use filepath.Base() on the config file name from the zip archive
before passing it to os.OpenFile, ensuring the config file is
always written to the current directory regardless of what path
the zip entry claims to have.
2026-02-25 13:01:00 +01:00
kolaente 12dca5f0b0 fix(restore): reject zip entries with path traversal sequences
Validate all zip entry names during restore to reject entries
containing directory traversal sequences (e.g. ../../../pwned.txt).
This prevents a Zip Slip attack where a malicious archive could
write files outside the intended extraction directory.
2026-02-25 13:01:00 +01:00
kolaente ea78e87147 fix(dump): limit copy size to prevent decompression bombs
Use io.CopyN with a max size limit when extracting files from zip
archives during restore to prevent potential DoS via decompression bombs.
2026-02-08 15:31:25 +01:00
kolaente ab705d7d21 fix(dump): stream files during restore to avoid memory pressure
Use a temporary file instead of io.ReadAll when restoring attachments
from a dump. This prevents loading entire files into memory, which could
cause OOM errors for large attachments during restore.
2026-02-08 15:31:25 +01:00
kolaente dbd74491c4 fix(files): update all callers to provide seekable readers for S3 uploads
Update all code paths that pass file content to the storage layer to
provide io.ReadSeeker instead of io.Reader:

- Avatar upload: use bytes.NewReader instead of bytes.Buffer
- Background upload handler: use bytes.NewReader instead of bytes.Buffer
- Unsplash background: buffer response body into bytes.NewReader
- Dump restore: buffer zip entry into bytes.NewReader
- Migration structure: pass bytes.NewReader directly instead of wrapping
  in io.NopCloser
- Task attachment: change NewAttachment parameter from io.ReadCloser to
  io.ReadSeeker
2026-02-08 15:31:25 +01:00
kolaente 0a78f7608a
feat: add --preserve-config flag to restore command (#1939)
Add a new `--preserve-config` flag to the restore command that allows
users to restore database and files from a dump while keeping their
existing configuration file untouched.
2025-12-07 21:44:45 +00:00
Weijie Zhao bc1368abcc
feat: add S3 file storage support (#1688) 2025-11-06 08:37:04 +01:00
Tobias a31255707e
fix "null" in project views (#1158)
Co-authored-by: kolaente <k@knt.li>
2025-07-22 17:43:04 +00:00
Tobias ecc95e9139
fix: panic on restoring with numeric position fields (#1089)
Co-authored-by: kolaente <k@knt.li>
2025-07-15 15:44:21 +00:00
Dominik Pschenitschni 296577a875
fix: correct license header references (#882)
See originals:
- https://www.gnu.org/licenses/agpl-3.0.txt
- https://www.gnu.org/licenses/gpl-3.0.txt
2025-06-10 12:18:38 +02:00
kolaente 017fa1b5af
fix(restore): restore encoded float values properly
Resolves https://kolaente.dev/vikunja/vikunja/issues/2934
2025-01-09 15:42:12 +01:00
kolaente 7e66f3ec6b
fix(restore): make sure all json columns are properly restored 2025-01-09 15:40:22 +01:00
kolaente 0962aa4262
fix(restore): transform json fields during restore
Resolves https://community.vikunja.io/t/unable-to-restore-after-dump-and-export-also-not-working/2263/5
2024-04-21 13:45:49 +02:00
kolaente 162741e940
fix: lint 2024-02-13 22:24:46 +01:00
kolaente 2facbae0d7
fix(dump): only allow imports from the same version they were dumped on
Previously, Vikunja would allow imports from any version which then caused problems since the table structure might have changed between releases. This change now checks if the current version is the same as the one the dump was created on.
2024-02-13 21:25:31 +01:00
kolaente e518fb1191
chore: remove year from copyright headers
Resolves https://kolaente.dev/vikunja/api/pulls/1483
2023-09-01 08:32:28 +02:00
kolaente 8c67be558f
fix: restore notifications table from dump when it already had the correct format 2022-12-01 17:33:00 +01:00
kolaente 6e15d46a93
fix(restore): use the correct initial migration
Related to https://kolaente.dev/vikunja/api/issues/1199
2022-07-13 23:44:21 +02:00
kolaente 596d2bf676
fix(restore): properly decode notifications json data
Related to https://kolaente.dev/vikunja/api/issues/1199
2022-07-13 23:43:20 +02:00
kolaente 5cf263a86f
feat: upgrade golangci-lint to 1.45.2 2022-03-27 16:55:37 +02:00
kolaente 8bf2254f4b
fix: restoring dumps with no config file saved in them 2022-02-19 17:46:10 +01:00
kolaente 8cb92b3924
fix(dump): don't try to save a config file if none was provided and dump vikunja env variables 2022-02-19 11:32:30 +01:00
konrad 90146aea5b User Data Export and import (#967)
Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/967
Co-authored-by: konrad <k@knt.li>
Co-committed-by: konrad <k@knt.li>
2021-09-04 19:26:31 +00:00
kolaente c4a71016b8
Update copyright year 2021-02-02 20:19:13 +01:00
kolaente 9baf6d39bd
Change license to AGPLv3 2020-12-23 16:41:52 +01:00
konrad 699d3d6060 Add Golangci Lint (#676)
Increase golangci timeout

Fix installing golangci-lint in ci

Remove mage targets replaced by golangci

Run golint in ci

Add goheader linter

Enable & fix more linters

Fix lint issues

Add mage target to automagically fix issues found by golangci

golangci-lint run --fix

Add golangci config

Add golangci mage target

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/676
Co-Authored-By: konrad <konrad@kola-entertainments.de>
Co-Committed-By: konrad <konrad@kola-entertainments.de>
2020-10-11 20:10:03 +00:00
konrad e4f150bbe3 Restore command (#593)
Add waiting for changes to config file

Add max size for config files

Restore files

Restore database file

Expose migrate to

Move init stuff to seperate package

Add restoring config file

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/593
2020-06-21 15:30:48 +00:00
kolaente db0126968a
Improve memory usage of dump by not loading all files in memory prior to adding them to the zip 2020-06-20 11:48:45 +02:00
kolaente c12bac0c96
Return errors when dumping 2020-06-20 11:37:51 +02:00
konrad fba333866d Add dump command (#592)
Fix files location in dump

Fix gitignore

Add docs

Add dumps to gitignore

Move dump to seperate package

logging

Dump files

Dump version

Dump database

Dump config

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/592
2020-06-19 21:29:02 +00:00