fix: security fixes / tests / README

Author: cschweda

.github/workflows/ci.yml

@@ -0,0 +1,34 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    name: Test on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Ensure scripts are executable
+        run: |
+          find . -type f -name "*.sh" -exec chmod +x {} \;
+
+      - name: Syntax check shell scripts
+        run: |
+          set -e
+          while IFS= read -r script; do
+            bash -n "$script"
+          done < <(find . -type f -name "*.sh")
+
+      - name: Run full test suite
+        run: ./run-tests.sh

README.md

@@ -1,5 +1,8 @@
 # WebDev Backup Tool
 
+<!-- Optional CI badge (replace USER/REPO with your GitHub org/repo) -->
+[![CI](https://github.com/USER/REPO/actions/workflows/ci.yml/badge.svg)](https://github.com/USER/REPO/actions/workflows/ci.yml)
+
 <p align="center">
   <img src="assets/og-image.png" alt="WebDev Backup Tool" width="1200" />
 </p>
@@ -34,7 +37,7 @@ You can also run `./setup-alias.sh` from the repo to add the alias for you.
 
 ## Features
 
-- **Backup**: Multi-directory, full/incremental/differential, quick backup (default from menu), compression (gzip/pigz), excludes `node_modules`. Each `.tar.gz` is self-contained: extracting creates a single top-level folder with everything inside. Quick backup shows live per-folder progress (same dashboard as interactive).
+- **Backup**: Multi-directory, full/incremental/differential, quick backup (default from menu), compression (gzip/pigz). **`node_modules` is never included** in backups to save space; you can rebuild dependencies after restore with `yarn install` or `npm install`. Each `.tar.gz` is self-contained: extracting creates a single top-level folder with everything inside. Quick backup shows live per-folder progress (same dashboard as interactive).
 - **Restore**: With integrity validation (tar + SHA256); optional `--skip-verify`
 - **Reporting**: HTML reports, email, charts (gnuplot), backup comparison
 - **Security**: Permissions, secrets handling, security audit script
@@ -70,28 +73,39 @@ Tests run with no config (they use `test/` and `test-projects/`).
 
 ```bash
 ./run-tests.sh              # Unit + integration + security audit
-./run-tests.sh --unit       # Unit only (32 tests)
-./run-tests.sh --integration # Integration only (9 tests)
+./run-tests.sh --unit       # Unit only (38 tests)
+./run-tests.sh --integration # Integration only (10 tests)
 ./run-tests.sh --security   # Security audit only
 ```
 
-**Coverage (41 tests):**
+**Coverage (48 tests):**
 
 | Category | Tests | What's covered |
 |----------|-------|----------------|
-| **Unit (32)** | `format_size` (0 B through GB), `sanitize_input` (basic + strict), `validate_path` (traversal, injection, empty, relative, absolute), `detect_os`, `get_os_version_display`, `get_file_size_bytes` (file + missing), `calculate_checksum` (consistency + SHA256 length), `check_required_tools` (present + missing), `format_time` (seconds/minutes/hours), `capitalize`, `verify_directory` (exists + missing), `find_projects`, `verify_backup` (valid + corrupted archive) | Core utility functions, edge cases, and error paths |
-| **Integration (9)** | Backup dry-run, full backup, backup-file existence, node_modules exclusion, archive integrity (`verify_backup`), source-file presence in archive, restore dry-run, incremental backup, config with RUNNING_TESTS | End-to-end backup/restore workflow and configuration |
+| **Unit (38)** | `format_size` (0 B through GB), `sanitize_input` (basic + strict), `validate_path` (traversal, injection, empty, relative, absolute), `detect_os`, `get_os_version_display`, `get_file_size_bytes` (file + missing), `calculate_checksum` (consistency + SHA256 length), `check_required_tools` (present + missing), `format_time` (seconds/minutes/hours), `capitalize`, `verify_directory` (exists + missing), `find_projects`, `verify_backup` (valid + corrupted archive), `is_safe_config_literal` checks, and `sanitize_cron_backup_options` allow/reject cases | Core utility functions, edge cases, and error paths |
+| **Integration (10)** | Backup dry-run, full backup, backup-file existence, node_modules exclusion, archive integrity (`verify_backup`), source-file presence in archive, **.env and lockfiles included**, restore dry-run, incremental backup, config with RUNNING_TESTS | End-to-end backup/restore workflow and configuration |
 | **Security** | File permissions, sensitive files in git, hardcoded credentials, eval usage, temp file handling | Static analysis of common vulnerabilities |
 
 You can also run `./test-backup.sh` (with `--quick`, `--unit`, or `--integration`) or `npm test`.
 
-**Platform verification (macOS, Linux, WSL2):** The same test suite and scripts are supported on all three. To verify on your platform:
+**Platform verification (macOS, Linux, WSL2):** The same test suite and scripts run on all three. Ubuntu is the primary Linux target.
+
+| Platform | How to verify |
+|----------|---------------|
+| **macOS** | `./run-tests.sh` (all 42 tests), `./backup.sh --quick --dry-run`, `./verify-implementation.sh` |
+| **Linux (Ubuntu)** | Same commands; uses GNU tools (`stat -c`, `date -d`, etc.) |
+| **WSL2** | Same as Linux; use `/mnt/c`, `/mnt/d` etc. for Windows drives (see **Paths by platform** below) |
+
+- **Compatibility check:** `./verify-implementation.sh` confirms config, first-run, and OS-specific paths (e.g. `get_file_size_bytes`, `run_with_timeout`, tar flags). It reports macOS or Linux and suggests next steps.
+- **Quick smoke test:** `./backup.sh --quick --dry-run` shows the backup dashboard and a simulated run without writing files.
+
+The app uses `uname -s` to choose the right commands (e.g. BSD vs GNU `find`, `stat` vs `du`, `date -r` vs `date -d`).
+
+## Exclusions and what’s included
 
-- **macOS / Linux / WSL2:** Run `./run-tests.sh` (no config required; uses test directories). All 41 tests should pass.
-- **Compatibility check:** Run `./verify-implementation.sh` to confirm config, first-run, and OS-specific paths (e.g. `get_file_size_bytes`, `run_with_timeout`, tar flags). It reports macOS or Linux and suggests next steps.
-- **Quick smoke test:** `./backup.sh --quick --dry-run` should show the backup dashboard and a simulated run without writing files.
+- **`node_modules`** – Excluded from all backups (full, incremental, differential, and quick) to **save space**. Dependencies are easy to rebuild after restore: run `yarn install` or `npm install` in each project directory. Exclusion is verified by the integration test suite.
 
-On WSL2, use `/mnt/<letter>/` for Windows drives (see **Paths by platform** in Configuration). The app uses `uname -s` to choose the right commands (e.g. BSD vs GNU `find`, `stat` vs `du`).
+- **Always included** (so you can reconstruct the app after restore): **`.env`** (and common variants like `.env.local`), **`yarn.lock`**, and **npm lockfiles** (`package-lock.json`, `npm-shrinkwrap.json`) are *not* excluded. With these in the backup, a restore plus `yarn install` or `npm install` reproduces the same dependency tree and environment.
 
 ## Configuration
 
@@ -128,6 +142,37 @@ All command-line options pass through to the alias. Dry-run only checks that sou
 2. **`./secure-secrets.sh`** – set up credential storage
 3. **`./security-audit.sh`** – checks permissions, sensitive files in git, hardcoded credentials, eval, temp files (also runs with `./run-tests.sh`)
 
+## Pull Request Checklist
+
+Use this checklist before opening or merging a PR:
+
+- [ ] Ran `./run-tests.sh` locally and all suites passed.
+- [ ] Ran `./security-audit.sh` and it reported no issues.
+- [ ] Verified on at least one target platform (`macOS` or `Ubuntu/WSL2`).
+- [ ] If shell scripts changed, ensured `bash -n` passes.
+- [ ] Updated `README.md` or docs for any behavior/CLI changes.
+- [ ] Confirmed no secrets were added (especially `secrets.sh`, `.env`, credentials).
+
+CI (`.github/workflows/ci.yml`) enforces syntax checks and full tests on macOS and Ubuntu.
+
+## Contributing
+
+Before opening a PR, run the local quality gate:
+
+```bash
+./run-tests.sh && ./security-audit.sh
+```
+
+Recommended when changing shell scripts:
+
+```bash
+find . -type f -name "*.sh" -exec bash -n {} \;
+```
+
+If your change affects platform-specific behavior, validate at least one of:
+- macOS
+- Ubuntu Linux (or WSL2 Ubuntu)
+
 **What's hardened:**
 - All temp files use `mktemp` (no `/tmp/` predictable paths in active code)
 - `umask 027` in utils, encryption, and setup scripts
@@ -144,6 +189,7 @@ Full details: [docs/SECURITY_REVIEW.md](docs/SECURITY_REVIEW.md)
 |--------|--------|
 | `webdev-backup.sh` | Main menu |
 | `backup.sh`, `restore.sh`, `quick-backup.sh` | Backup and restore |
+| `prune-backups.sh` | Prune old backups (keep 5 latest or delete one by one) |
 | `config.sh`, `utils.sh`, `fs.sh`, `ui.sh` | Config and shared modules |
 | `configure-cron.sh` | Cron schedules (uses mktemp) |
 | `compare-backups.sh` | Compare two backups |

archive/src.legacy/backup.sh

@@ -241,7 +241,10 @@ fi
 # Get list of projects
 projects=()
 for dir in "${SOURCE_DIRS[@]}"; do
-    mapfile -t dir_projects < <(find_projects "$dir" 1)
+    dir_projects=()
+    while IFS= read -r project_path; do
+        [ -n "$project_path" ] && dir_projects+=("$project_path")
+    done < <(find_projects "$dir" 1)
     projects+=("${dir_projects[@]}")
 done
 

archive/src.legacy/restore.sh

@@ -112,8 +112,11 @@ echo -e "${CYAN}Started at: $(date)${NC}\n"
 if [ "$LIST_BACKUPS" = true ]; then
     echo -e "${YELLOW}Available Backups:${NC}"
 
-    # Find all backup directories
-    mapfile -t backup_dirs < <(find "$BACKUP_DIR" -maxdepth 1 -type d -name "wsl2_backup_*" | sort -r)
+    # Find all backup directories (Bash 3.2 compatible)
+    backup_dirs=()
+    while IFS= read -r backup_dir; do
+        [ -n "$backup_dir" ] && backup_dirs+=("$backup_dir")
+    done < <(find "$BACKUP_DIR" -maxdepth 1 -type d -name "wsl2_backup_*" | sort -r)
 
     if [ ${#backup_dirs[@]} -eq 0 ]; then
         echo -e "${RED}No backups found in $BACKUP_DIR${NC}"
@@ -189,8 +192,11 @@ if [ "$DRY_RUN" = true ]; then
     log "Dry run mode: Showing what would be done, no actual restore" "$LOG_FILE"
 fi
 
-# Find available projects in the backup
-mapfile -t available_projects < <(find "$BACKUP_TO_RESTORE" -maxdepth 1 -type f -name "*.tar.gz" | sed -n 's/.*\/\([^_]*\)_.*/\1/p' | sort -u)
+# Find available projects in the backup (Bash 3.2 compatible)
+available_projects=()
+while IFS= read -r project_name; do
+    [ -n "$project_name" ] && available_projects+=("$project_name")
+done < <(find "$BACKUP_TO_RESTORE" -maxdepth 1 -type f -name "*.tar.gz" | sed -n 's/.*\/\([^_]*\)_.*/\1/p' | sort -u)
 
 if [ ${#available_projects[@]} -eq 0 ]; then
     # Special handling for dry-run mode

archive/src.legacy/utils/dirs-status.sh

@@ -26,8 +26,9 @@ TOTAL_SIZE=0
 VALID_DIRS=0
 INVALID_DIRS=0
 
-# Track project counts per directory
-declare -A PROJECT_COUNTS
+# Track project counts per directory (Bash 3.2 compatible; avoid associative arrays)
+PROJECT_DIR_NAMES=()
+PROJECT_DIR_COUNTS=()
 
 # Process each directory
 for ((i=0; i<${#DEFAULT_SOURCE_DIRS[@]}; i++)); do
@@ -38,10 +39,14 @@ for ((i=0; i<${#DEFAULT_SOURCE_DIRS[@]}; i++)); do
 
     # Check if directory exists and is readable
     if [ -d "$DIR" ] && [ -r "$DIR" ]; then
-        # Find all projects (subdirs)
-        readarray -t PROJECTS < <(find "$DIR" -maxdepth 1 -mindepth 1 -type d -not -path "*/\.*" | sort)
+        # Find all projects (subdirs) - Bash 3.2 compatible
+        PROJECTS=()
+        while IFS= read -r project_path; do
+            [ -n "$project_path" ] && PROJECTS+=("$project_path")
+        done < <(find "$DIR" -maxdepth 1 -mindepth 1 -type d -not -path "*/\.*" | sort)
         PROJECT_COUNT=${#PROJECTS[@]}
-        PROJECT_COUNTS["$DIR_NAME"]=$PROJECT_COUNT
+        PROJECT_DIR_NAMES+=("$DIR_NAME")
+        PROJECT_DIR_COUNTS+=("$PROJECT_COUNT")
 
         TOTAL_PROJECTS=$((TOTAL_PROJECTS + PROJECT_COUNT))
         VALID_DIRS=$((VALID_DIRS + 1))
@@ -86,8 +91,8 @@ echo "Total size (excluding node_modules): $(format_size "$TOTAL_SIZE")"
 
 echo
 echo -e "${CYAN}Projects by directory:${NC}"
-for DIR_NAME in "${!PROJECT_COUNTS[@]}"; do
-    echo "  $DIR_NAME: ${PROJECT_COUNTS[$DIR_NAME]} projects"
+for ((i=0; i<${#PROJECT_DIR_NAMES[@]}; i++)); do
+    echo "  ${PROJECT_DIR_NAMES[$i]}: ${PROJECT_DIR_COUNTS[$i]} projects"
 done
 
 exit 0

archive/src.legacy/utils/error-handling.sh

@@ -16,20 +16,22 @@ readonly ERROR_WARNING=1   # Warning, non-critical
 readonly ERROR_CRITICAL=2  # Critical error, operation cannot continue
 readonly ERROR_FATAL=3     # Fatal error, script termination required
 
-# Error codes and meanings
-declare -A ERROR_CODES=(
-    [1]="Configuration error"
-    [2]="File system error"
-    [3]="Missing dependencies"
-    [4]="Permission denied"
-    [5]="Network error"
-    [6]="Backup creation failed"
-    [7]="Verification failed"
-    [8]="Restore operation failed"
-    [9]="Cloud upload/download failed"
-    [10]="Invalid arguments"
-    [99]="Unknown error"
-)
+# Error code lookup (Bash 3.2 compatible; avoid associative arrays)
+get_error_type() {
+    case "${1:-99}" in
+        1) echo "Configuration error" ;;
+        2) echo "File system error" ;;
+        3) echo "Missing dependencies" ;;
+        4) echo "Permission denied" ;;
+        5) echo "Network error" ;;
+        6) echo "Backup creation failed" ;;
+        7) echo "Verification failed" ;;
+        8) echo "Restore operation failed" ;;
+        9) echo "Cloud upload/download failed" ;;
+        10) echo "Invalid arguments" ;;
+        *) echo "Unknown error" ;;
+    esac
+}
 
 # Terminal colors
 RED='\033[0;31m'
@@ -52,7 +54,8 @@ handle_error() {
     local calling_line=$(caller | awk '{print $1}')
 
     # Format error message for logging
-    local error_type=${ERROR_CODES[$code]:-"Unknown error type"}
+    local error_type
+    error_type=$(get_error_type "$code")
     local log_message="[$timestamp] [${error_type}] (Code: $code) ${message}"
     local detail_message="In script $calling_script at line $calling_line"
 

archive/src.legacy/utils/find-projects.sh

@@ -44,8 +44,11 @@ for dir in "${SOURCE_DIRS[@]}"; do
     dir_name=$(basename "$dir")
     echo -e "\n${CYAN}=== Directory: $dir (${dir_name}) ===${NC}"
 
-    # Find projects in this directory
-    mapfile -t projects < <(find "$dir" -maxdepth 1 -mindepth 1 -type d -not -path "*/\.*" | sort)
+    # Find projects in this directory (Bash 3.2 compatible)
+    projects=()
+    while IFS= read -r project_path; do
+        [ -n "$project_path" ] && projects+=("$project_path")
+    done < <(find "$dir" -maxdepth 1 -mindepth 1 -type d -not -path "*/\.*" | sort)
 
     # Display projects
     if [ ${#projects[@]} -gt 0 ]; then

backup.sh

@@ -26,6 +26,9 @@ CUSTOM_SOURCE_DIRS=()
 DRY_RUN=false
 EXTERNAL_BACKUP=false  # Track if this is an external (cloud) backup
 QUICK_BACKUP=false     # --quick: same as silent but show per-folder progress like interactive
+EXCLUDE_FILE=""        # Temp file for exclusions; trap cleans on exit
+
+trap 'rm -f "${EXCLUDE_FILE}" 2>/dev/null' EXIT
 
 # Parse command line arguments
 while [[ $# -gt 0 ]]; do
@@ -120,8 +123,9 @@ while [[ $# -gt 0 ]]; do
             ;;
         --destination|--dest|-d)
             if [[ -n "$2" && "$2" != --* ]]; then
-                # Expand tilde in path
-                CUSTOM_BACKUP_DIR="${2/#\~/$HOME}"
+                # Expand tilde in path and validate (reject traversal, injection)
+                _dir="${2/#\~/$HOME}"
+                CUSTOM_BACKUP_DIR=$(validate_path "$_dir" "dir") || { echo -e "${RED}Error: Invalid destination path${NC}"; exit 1; }
                 shift 2
             else
                 echo -e "${RED}Error: Destination argument requires a directory path${NC}"
@@ -131,11 +135,12 @@ while [[ $# -gt 0 ]]; do
         --sources)
             if [[ -n "$2" ]]; then
                 IFS=',' read -ra custom_dirs <<< "$2"
-                for dir in "${custom_dirs[@]}"; do
-                    # Trim whitespace and expand tilde
-                    dir=$(echo "$dir" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
-                    dir="${dir/#\~/$HOME}"
-                    CUSTOM_SOURCE_DIRS+=("$dir")
+                for _dir in "${custom_dirs[@]}"; do
+                    # Trim whitespace, expand tilde, and validate (reject traversal, injection)
+                    _dir=$(echo "$_dir" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+                    _dir="${_dir/#\~/$HOME}"
+                    _validated=$(validate_path "$_dir" "dir") || { echo -e "${RED}Error: Invalid source path: $_dir${NC}"; exit 1; }
+                    CUSTOM_SOURCE_DIRS+=("$_validated")
                 done
                 shift 2
             else
@@ -145,9 +150,10 @@ while [[ $# -gt 0 ]]; do
             ;;
         --source|-s)
             if [[ -n "$2" && "$2" != --* ]]; then
-                # Expand tilde in path
-                dir="${2/#\~/$HOME}"
-                CUSTOM_SOURCE_DIRS+=("$dir")
+                # Expand tilde in path and validate (reject traversal, injection)
+                _dir="${2/#\~/$HOME}"
+                _validated=$(validate_path "$_dir" "dir") || { echo -e "${RED}Error: Invalid source path${NC}"; exit 1; }
+                CUSTOM_SOURCE_DIRS+=("$_validated")
                 shift 2
             else
                 echo -e "${RED}Error: Source argument requires a directory path${NC}"
@@ -867,8 +873,8 @@ if [ "$SILENT_MODE" = false ]; then
     echo -e "${YELLOW}=============================================${NC}"
 fi
 
-# Generate HTML report (skip in dry-run)
-if [ "$DRY_RUN" != true ] && { [ "$SILENT_MODE" = false ] || [ -n "$EMAIL_NOTIFICATION" ]; }; then
+# Generate HTML report (skip in dry-run). Create when interactive, email requested, or when showing progress (e.g. --quick) so "view report" can be offered.
+if [ "$DRY_RUN" != true ] && { [ "$SILENT_MODE" = false ] || [ -n "$EMAIL_NOTIFICATION" ] || [ "$SHOW_PROGRESS" = true ]; }; then
     REPORT_FILE=$(create_backup_report \
         "$FULL_BACKUP_PATH" \
         "$SUCCESSFUL_PROJECTS" \
@@ -1039,10 +1045,10 @@ else
     fi
     echo -e "${CYAN}Finished at: $(date)${NC}\n"
 
-    # Ask if the user wants to view the report in browser
-    if [ "$DRY_RUN" != true ] && [ -f "$REPORT_FILE" ]; then
+    # Ask if the user wants to view the report in browser (default Y)
+    if [ "$DRY_RUN" != true ] && [ -n "$REPORT_FILE" ] && [ -f "$REPORT_FILE" ]; then
         echo -e "\n${YELLOW}Would you like to view the backup report in your browser?${NC}"
-        if safe_confirm "Open report in browser?" "n"; then
+        if safe_confirm "Open report in browser?" "y"; then
             echo -e "${GREEN}Opening backup report in browser...${NC}"
             if open_in_browser "$REPORT_FILE"; then
                 echo -e "${GREEN}Report opened in browser.${NC}"