github Skyfay/DBackup v2.6.0
on GitHub

8 hours ago

Security Update, Vault Credential Profiles, OAuth Improvements, and Multiple Bug Fixes

๐Ÿ”’ Security Update: This release fixes a security vulnerability in DBackup's own code (GHSA-cj5h-46h6-72wc). Update as soon as possible.

โš ๏ธ Breaking: OAuth storage destinations (Dropbox, Google Drive, OneDrive) and token-based notification channels (Discord, Slack, Teams, Generic Webhook, Twilio) no longer store secrets inline - they require a Vault credential profile to function. After updating, create a matching OAUTH, WEBHOOK, or TOKEN profile in the Security Vault and assign it to each affected adapter via the edit form. Adapters without an assigned profile will fail connection tests and backup/notification jobs until migrated.

โœจ Features

  • credentials: Credential profiles now support WEBHOOK (Discord, Slack, Teams, Generic Webhook), OAUTH (Dropbox, Google Drive, OneDrive), and TOKEN (Twilio) types, allowing notification and storage secrets to be stored in the vault and resolved server-side.
  • OAuth: OAuth authorization flows (Dropbox, Google Drive, OneDrive) now require an assigned credential profile. Tokens are stored in the vault and the credential picker refreshes automatically after authorization.
  • OAuth: Authorization dialogs now open in a popup window instead of redirecting the current page.

๐Ÿ”’ Security

  • SMB: Passwords are now redacted from error messages and logs when SMB connections fail.
  • adapters: All adapter endpoints (list, create, update, clone) now return a safe DTO that strips all sensitive fields and replaces them with a secretStatus map - decrypted secrets are no longer serialized to API responses. Thanks @YHalo-wyh (GHSA-cj5h-46h6-72wc)
  • adapters: Notification webhook URLs and tokens (webhookUrl, botToken, authToken, authHeader, appToken, accessToken) and SSH keys (sshPassword, sshPrivateKey, sshPassphrase) added to SENSITIVE_KEYS and redacted in all DTO and strip operations. Thanks @YHalo-wyh (GHSA-cj5h-46h6-72wc)
  • OAuth: Refresh tokens for Dropbox, Google Drive, and OneDrive are now stored exclusively in credential profiles instead of adapter configs.
  • adapters: Adapter update (PUT) now preserves existing secrets via mergeSecrets - re-saving an adapter form without changing secret fields no longer overwrites stored credentials with empty values.

๐ŸŽจ Improvements

  • adapters: Secret fields in the adapter form show a "saved - leave blank to keep" placeholder when a value is already stored.
  • credentials: Credential profile dialog extended to support creating WEBHOOK and OAUTH profile types.
  • encryption: The key resolution dialog now automatically switches to the raw key tab when no vault profiles are available.

๐Ÿงช Tests

  • adapters: Added audit tests verifying no sensitive fields are returned by any adapter API endpoint.
  • adapters: Added DTO unit tests verifying that notification secrets (Telegram botToken, Discord webhookUrl) are redacted and secretStatus flags are set correctly.
  • crypto: Added unit tests for stripSecrets, mergeSecrets, and getSecretStatus.

๐Ÿณ Docker

  • Image: skyfay/dbackup:v2.6.0
  • Also tagged as: latest, v2
  • CI Image: skyfay/dbackup:ci
  • Platforms: linux/amd64, linux/arm64
Check out latest releases or
releases around Skyfay/DBackup v2.6.0

Don't miss a new DBackup release

NewReleases is sending notifications on new releases.

Get notifications