Platforms reviewed: macOS, Linux (Ubuntu), Linux under WSL2 (Ubuntu).
Last updated: 2026-02-10
The app is sound for desktop/CLI use. Path sanitization, archive traversal checks, mktemp, safe permissions, and umask 027 are used consistently. All /tmp/ predictable-path usage has been eliminated from active code. The security audit (./security-audit.sh) passes with no issues.
Risk: Predictable path. On multi-user or shared systems, another process could pre-create it as a symlink.
Fix: Replaced with mktemp, chmod 600, then rm -f after use.
Risk: Dead code wrote to /tmp/added_$$, /tmp/deleted_$$, /tmp/changed_$$.
Fix: Removed the three writes. The function's output variables were unused; the main loop uses mktemp -d and comm directly.
Issue: find_latest_backup() had a broken if/else with a pipe split across the block.
Fix: Inlined the full pipeline on each branch so macOS and Linux use the correct find/stat variant.
Risk: extract_backup() in fs.sh used plain tar -xzf. On Linux, if run as root, tar would restore original file ownership, which could create root-owned files in user directories. The verification extract in utils.sh already used --no-same-owner.
Fix: Added --no-same-owner to extract_backup() on Linux. Skipped on macOS (BSD tar doesn't support it; macOS tar already ignores ownership by default for non-root).
Risk: Scripts could be set to world-writable (e.g. chmod 777), allowing any user to modify them.
Fix: Use ./secure-permissions.sh to set proper permissions (755 scripts, 640 config, 750 dirs). umask 027 is used in utils, encryption, and setup scripts.
Risk: Low. All call sites pass literal strings with config-derived variables (e.g. run_cmd "mkdir -p \"$BACKUP_DIR\""). No network/untrusted inputs. Config is user-owned.
Recommendation: Consider refactoring to avoid eval if CLI args ever become untrusted.
Observation: TEMP_LOG=$(mktemp) used correctly; mv to final path. If killed before mv, a temp file is left. No symlink/injection risk.
Recommendation: Optional: add a trap for cleanup.
Observation: --source / --destination are checked with verify_directory or -d / -w tests but not passed through validate_path(). Acceptable for single-user CLI. Recommend adding validation if inputs ever come from untrusted sources.
- No
/tmp/in active code. All temp files usemktemp/mktemp -d. - Path sanitization:
validate_path()andsanitize_input()used for email, browser, and sensitive contexts. - Archive safety: Traversal checks (
../, absolute paths) before extraction;--no-same-owneron extract. - Permissions:
umask 027in utils/encryption/setup;secure-permissions.shsets 755/640/750. - Secrets:
secrets.shgitignored; mail credentials wiped withshredordd+rm. - Security audit: Portable (
-perm -0002), excludes archive, allowlists templates and controlled eval. Passes clean. - Platform: Same code paths on macOS, Linux, WSL2.
--no-same-ownerskipped on macOS (not needed). No platform-specific gaps.
All tests pass. Security audit reports 0 issues.
Unit Tests: 38/38 PASSED
Integration Tests: 10/10 PASSED
Security Audit: 0 issues found
- utils.sh —
mktempfor basic-email message file (was/tmp/email_message_$$) - compare-backups.sh — Removed dead
/tmp/..._$$writes; fixedfind_latest_backup()syntax - fs.sh — Added
--no-same-ownertoextract_backup()on Linux - Permissions — Use
secure-permissions.shfor 755/640/750;umask 027in key scripts