Harden local secrets and backup restore

This commit is contained in:
2026-06-05 16:23:38 +02:00
parent 01b8128835
commit 1839328dfe
5 changed files with 11 additions and 2 deletions
+4
View File
@@ -12,3 +12,7 @@ dist
build build
data data
instance instance
.cloudron-push.env
.env.local
.env.push.local
nouri.sqlite3
+1
View File
@@ -9,6 +9,7 @@ __pycache__/
data/ data/
instance/ instance/
nouri.sqlite3
.cloudron-push.env .cloudron-push.env
.env.local .env.local
.env.push.local .env.push.local
View File
+5 -1
View File
@@ -77,6 +77,7 @@ def export_backup_archive(
def _extract_uploads_to_temp(archive: zipfile.ZipFile) -> Path: def _extract_uploads_to_temp(archive: zipfile.ZipFile) -> Path:
temp_dir = Path(tempfile.mkdtemp(prefix="nouri-restore-uploads-")) temp_dir = Path(tempfile.mkdtemp(prefix="nouri-restore-uploads-"))
temp_root = temp_dir.resolve()
for member in archive.infolist(): for member in archive.infolist():
if not member.filename.startswith("uploads/") or member.is_dir(): if not member.filename.startswith("uploads/") or member.is_dir():
continue continue
@@ -84,8 +85,11 @@ def _extract_uploads_to_temp(archive: zipfile.ZipFile) -> Path:
if not relative_target: if not relative_target:
continue continue
target_path = temp_dir / relative_target target_path = temp_dir / relative_target
resolved_target = target_path.resolve()
if not resolved_target.is_relative_to(temp_root):
raise ValueError("Das Backup enthält einen ungültigen Upload-Pfad.")
target_path.parent.mkdir(parents=True, exist_ok=True) target_path.parent.mkdir(parents=True, exist_ok=True)
with archive.open(member, "r") as source, target_path.open("wb") as destination: with archive.open(member, "r") as source, resolved_target.open("wb") as destination:
shutil.copyfileobj(source, destination) shutil.copyfileobj(source, destination)
return temp_dir return temp_dir
+1 -1
View File
@@ -1,5 +1,5 @@
Flask==3.1.1 Flask==3.1.1
gunicorn==23.0.0 gunicorn==23.0.0
pywebpush==2.3.0 pywebpush==2.3.0
Pillow==11.2.1; python_version < "3.14" Pillow==12.2.0; python_version < "3.14"
fpdf2==2.8.3 fpdf2==2.8.3