MokoConsulting/MokoSuiteBackup
1
0
Fork 0
Code Issues 11 Pull Requests Packages Releases 5 Wiki Activity

feat: Backup type filter + path traversal protection (#68, #72) #86

Closed
jmiller wants to merge 1 commits from fix/quick-wins into main
pull from: fix/quick-wins
merge into: :main
Conversation 0 Commits 1 Files Changed 12
+72 -12
jmiller commented 2026-06-21 23:50:23 +00:00
Owner
Copy Link
Copy Source

Summary

Two quick wins from the issue backlog.

Closes #68, closes #72.

Changes

#68: Backup type filter

Adds a "Backup Type" dropdown filter to the backups list view alongside the existing status filter.

  • filter_backups.xml — full/database/files/differential options
  • BackupsModel — backup_type filter in query
  • Language string added

#72: Path traversal protection

Validates archive entries before extraction in RestoreEngine and MokoRestore standalone script. Rejects paths containing ../ or starting with / or \.

  • RestoreEngine::extractArchive() — ZIP entry validation
  • RestoreEngine::extractTarGz() — PharData entry validation
  • MokoRestore generated script — same validation

Test Plan

  • Backups list view shows "Type" filter dropdown
  • Filtering by "Database Only" shows only database backups
  • Restore from normal ZIP archive works
  • Restore rejects archive with ../ in entry paths
## Summary Two quick wins from the issue backlog. Closes #68, closes #72. ## Changes ### #68: Backup type filter Adds a "Backup Type" dropdown filter to the backups list view alongside the existing status filter. - `filter_backups.xml` — full/database/files/differential options - `BackupsModel` — backup_type filter in query - Language string added ### #72: Path traversal protection Validates archive entries before extraction in RestoreEngine and MokoRestore standalone script. Rejects paths containing `../` or starting with `/` or `\`. - `RestoreEngine::extractArchive()` — ZIP entry validation - `RestoreEngine::extractTarGz()` — PharData entry validation - `MokoRestore` generated script — same validation ## Test Plan - [ ] Backups list view shows "Type" filter dropdown - [ ] Filtering by "Database Only" shows only database backups - [ ] Restore from normal ZIP archive works - [ ] Restore rejects archive with `../` in entry paths
jmiller added the component: enginecomponent: admin labels 2026-06-21 23:50:23 +00:00
jmiller added 1 commit 2026-06-21 23:50:24 +00:00
feat: backup type filter + path traversal protection (#68, #72)
Joomla: Extension CI / Tests (PHP 8.2) (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / Tests (PHP 8.3) (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / PHPStan Analysis (pull_request) Blocked by required conditions
Details
Joomla: Extension CI / Build RC Pre-Release (pull_request) Blocked by required conditions
Details
Universal: PR Check / Build RC Package (pull_request) Blocked by required conditions
Details
Universal: PR Check / Report Issues (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Scripts governance (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Repository health (pull_request) Blocked by required conditions
Details
Generic: Repo Health / Report Issues (pull_request) Blocked by required conditions
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 25s
Details
Universal: Build & Release / Promote to RC (pull_request) Successful in 28s
Details
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been skipped
Details
Joomla: Extension CI / Release Readiness Check (pull_request) Failing after 4s
Details
Universal: PR Check / Branch Policy (pull_request) Failing after 1s
Details
Joomla: Extension CI / Lint & Validate (pull_request) Failing after 7s
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 5s
Details
Universal: PR Check / Validate PR (pull_request) Failing after 4s
Details
Generic: Repo Health / Access control (pull_request) Successful in 1s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Joomla: Metadata Validation / Validate Joomla Metadata (pull_request) Successful in 11s
Details
3328d7cf19 
#68: Add backup type filter dropdown to backups list view
- filter_backups.xml: full/database/files/differential options
- BackupsModel: backup_type filter in getListQuery()
- Language string: COM_MOKOJOOMBACKUP_FILTER_TYPE_ALL

#72: Path traversal protection in RestoreEngine and MokoRestore
- RestoreEngine::extractArchive(): validate ZIP entries before extractTo()
- RestoreEngine::extractTarGz(): validate PharData entries before extractTo()
- MokoRestore standalone script: same validation in generated PHP code
- Rejects entries containing ../ or starting with / or \

Closes #68, closes #72
jmiller added 1 commit 2026-06-21 23:50:37 +00:00
chore(version): pre-release bump to 01.27.08-dev [skip ci]
Publish to Composer / Publish Package (release) Failing after 4s
Details
07e1d5475e
jmiller closed this pull request 2026-06-21 23:51:06 +00:00
jmiller deleted branch fix/quick-wins 2026-06-21 23:51:06 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
component: admin
Admin UI and views
 component: api
REST API
 component: engine
Backup/restore engine
 component: remote
Remote storage (FTP/GDrive)
 component: scheduler
Scheduled tasks
No labels component: admin component: engine
Priority -
Type -
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteBackup#86
Delete Branch "fix/quick-wins"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?