github Skyfay/DBackup v1.4.2
on GitHub

latest releases: v1.4.7, v1.4.6, v1.4.5...
one month ago

Security Fixes

๐Ÿ”’ Security

  • OneDrive: Fixed polynomial ReDoS vulnerability (CWE-1333) in folder path sanitization by replacing regex with iterative string trimming
  • CI/CD: Added explicit permissions: contents: read to sync-gitlab.yml and validate.yml workflows to restrict default GITHUB_TOKEN privileges (CWE-275)
  • Google Drive: Fixed incomplete string escaping in query builder - backslashes are now escaped before single quotes to prevent query injection (CWE-20, CWE-116)
  • API Keys: Upgraded hash from SHA-256 to scrypt (N=16384, r=8, p=1) with automatic migration for existing keys (CWE-916)
  • Filesystem API: Expanded blocked-prefix list for sensitive system paths - now covers Linux (/proc, /sys, /dev), macOS (/System, /Library/Keychains), and Windows WSL paths with dedicated sanitizePath() validation (CWE-22)
  • TAR Extraction: Added Zip Slip protection in multi-DB TAR extraction using path.basename() validation (CWE-22)
  • MSSQL Restore: Added Zip Slip protection in MSSQL TAR extraction using path.basename() validation (CWE-22)
  • TLS Server: Removed environment-derived path from log output to prevent clear-text logging of sensitive directory info (CWE-532)

๐Ÿงช Tests

  • Lint Guards: Fixed incomplete regex escaping in glob-to-regex conversion for no-console and no-config-any test helpers (CWE-116)
  • API Keys: Added unit tests for scrypt hashing, deterministic hash output, SHA-256 legacy migration path, and scrypt-is-not-SHA-256 verification

๐Ÿณ Docker

  • Image: skyfay/dbackup:v1.4.2
  • Also tagged as: latest, v1
  • Platforms: linux/amd64, linux/arm64
Check out latest releases or
releases around Skyfay/DBackup v1.4.2

Don't miss a new DBackup release

NewReleases is sending notifications on new releases.

Get notifications