MokoConsulting/MokoSuiteBackup
1
0
Fork 0
Code Issues 11 Pull Requests Packages Releases 5 Wiki Activity

security: RestoreEngine staging path uses unsanitized $record->tag #77

New Issue
Closed
opened 2026-06-21 23:01:30 +00:00 by jmiller · 0 comments
jmiller commented 2026-06-21 23:01:30 +00:00
Owner
Copy Link
Copy Source

Severity: HIGH

RestoreEngine at line 80 constructs the staging directory path using $record->tag directly from the database without sanitization:

$this->stagingDir = JPATH_ROOT . '/tmp/mokosuitebackup-restore-' . $record->tag;

A crafted tag like ../../etc/ would resolve outside /tmp/, allowing file extraction to arbitrary locations.

Similarly, SnapshotRestoreEngine at line 79 trusts $record->data_file from DB without validating it stays within the backup directory.

Fix

Sanitize tag: preg_replace('/[^a-zA-Z0-9_-]/', '', $record->tag)
Validate data_file: check realpath() stays within BackupDirectory::getDefaultAbsolute()

Files

  • src/Engine/RestoreEngine.php:80
  • src/Engine/SnapshotRestoreEngine.php:79
## Severity: HIGH `RestoreEngine` at line 80 constructs the staging directory path using `$record->tag` directly from the database without sanitization: ```php $this->stagingDir = JPATH_ROOT . '/tmp/mokosuitebackup-restore-' . $record->tag; ``` A crafted tag like `../../etc/` would resolve outside `/tmp/`, allowing file extraction to arbitrary locations. Similarly, `SnapshotRestoreEngine` at line 79 trusts `$record->data_file` from DB without validating it stays within the backup directory. ## Fix Sanitize tag: `preg_replace('/[^a-zA-Z0-9_-]/', '', $record->tag)` Validate data_file: check `realpath()` stays within `BackupDirectory::getDefaultAbsolute()` ## Files - `src/Engine/RestoreEngine.php:80` - `src/Engine/SnapshotRestoreEngine.php:79`
jmiller added the component: engine label 2026-06-21 23:01:30 +00:00
Sign in to join this conversation.
Labels
Clear labels
component: admin
Admin UI and views
 component: api
REST API
 component: engine
Backup/restore engine
 component: remote
Remote storage (FTP/GDrive)
 component: scheduler
Scheduled tasks
No labels component: engine
Priority Medium
Type Feature
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteBackup#77
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?