UUXO/dbbackup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 28 Wiki Activity
Files
a0e7fd71de3fd53868ac7f0a6f37a4db7d77601a
dbbackup/internal/security/checksum.go
Renz a0e7fd71de security: Implement HIGH priority security improvements 
HIGH Priority Security Features:
- Path sanitization with filepath.Clean() for all user paths
- Path traversal attack prevention in backup/restore operations
- Secure config file permissions (0600 instead of 0644)
- SHA-256 checksum generation for all backup archives
- Checksum verification during restore operations
- Comprehensive audit logging for compliance

New Security Module (internal/security/):
- paths.go: ValidateBackupPath() and ValidateArchivePath()
- checksum.go: ChecksumFile(), VerifyChecksum(), LoadAndVerifyChecksum()
- audit.go: AuditLogger with structured event tracking

Integration Points:
- Backup engine: Path validation, checksum generation
- Restore engine: Path validation, checksum verification
- All backup/restore operations: Audit logging
- Configuration saves: Audit logging

Security Enhancements:
- .dbbackup.conf now created with 0600 permissions (owner-only)
- All archive files get .sha256 checksum files
- Restore warns if checksum verification fails but continues
- Audit events logged for all administrative operations
- User tracking via $USER/$USERNAME environment variables

Compliance Features:
- Audit trail for backups, restores, config changes
- Structured logging with timestamps, users, actions, results
- Event details include paths, sizes, durations, errors

Testing:
- All code compiles successfully
- Cross-platform build verified
- Ready for integration testing
2025-11-25 12:03:21 +00:00

92 lines
2.2 KiB
Go
Raw Blame History

package security
import (
"crypto/sha256"
"encoding/hex"
"fmt"
"io"
"os"
)
// ChecksumFile calculates SHA-256 checksum of a file
func ChecksumFile(path string) (string, error) {
file, err := os.Open(path)
if err != nil {
return "", fmt.Errorf("failed to open file: %w", err)
}
defer file.Close()
hash := sha256.New()
if _, err := io.Copy(hash, file); err != nil {
return "", fmt.Errorf("failed to calculate checksum: %w", err)
}
return hex.EncodeToString(hash.Sum(nil)), nil
}
// VerifyChecksum verifies a file's checksum against expected value
func VerifyChecksum(path string, expectedChecksum string) error {
actualChecksum, err := ChecksumFile(path)
if err != nil {
return err
}
if actualChecksum != expectedChecksum {
return fmt.Errorf("checksum mismatch: expected %s, got %s", expectedChecksum, actualChecksum)
}
return nil
}
// SaveChecksum saves checksum to a .sha256 file alongside the archive
func SaveChecksum(archivePath string, checksum string) error {
checksumPath := archivePath + ".sha256"
content := fmt.Sprintf("%s %s\n", checksum, archivePath)
if err := os.WriteFile(checksumPath, []byte(content), 0644); err != nil {
return fmt.Errorf("failed to save checksum: %w", err)
}
return nil
}
// LoadChecksum loads checksum from a .sha256 file
func LoadChecksum(archivePath string) (string, error) {
checksumPath := archivePath + ".sha256"
data, err := os.ReadFile(checksumPath)
if err != nil {
return "", fmt.Errorf("failed to read checksum file: %w", err)
}
// Parse "checksum filename" format
parts := []byte{}
for i, b := range data {
if b == ' ' {
parts = data[:i]
break
}
}
if len(parts) == 0 {
return "", fmt.Errorf("invalid checksum file format")
}
return string(parts), nil
}
// LoadAndVerifyChecksum loads checksum from .sha256 file and verifies the archive
// Returns nil if checksum file doesn't exist (optional verification)
// Returns error if checksum file exists but verification fails
func LoadAndVerifyChecksum(archivePath string) error {
expectedChecksum, err := LoadChecksum(archivePath)
if err != nil {
if os.IsNotExist(err) {
return nil // Checksum file doesn't exist, skip verification
}
return err
}
return VerifyChecksum(archivePath, expectedChecksum)
}
Reference in New Issue View Git Blame Copy Permalink