ruborg 0.2.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca72109e555872d29ba3b56a07b6ed10ea5b41fec351631232265c42216fd376
-  data.tar.gz: 2049a2ba62a07171f2fc62237243043be6dacf83200f0ffa4f10b6a05285d5b1
+  metadata.gz: 0bb6c1c5f47b1fbb4538310a929914b0e744bcdb30d5e5635c4246df778e2113
+  data.tar.gz: bda5cf063fe587a047dd36fa9c5e948d8130e47501a53eabef9c34a3af7ae361
 SHA512:
-  metadata.gz: ce9e39076fbb118801cf910ca241e930d2139e0f15c8adaf139a62e36bf8dad5a7495d81618db5f82d45d7c1e6c0784c143258afbc0c4ad524945d13b91ca345
-  data.tar.gz: 94534dfd27da62827c5976bcbbe291d9c6906a7e3355905a970b6f9ea65bb3b7612ae50373445a249f2b57ad9283028ca06ab5db87d85f05e6ff76e3b6d34121
+  metadata.gz: 8828dacb76519557d51876327133491318bd199e589fb695d08a94af1a73a3c34772f022b6630e199a2c1ab9ab7d78dcce043a402bfa0f418ae51262aad80e8f
+  data.tar.gz: 99b7e79eb2e50240862f7ade79291d9a76469385f2b7e8949df8e6ac3251f9adcbe2f605e42c09364616c028f10575593c3e0a1df1d020bcf8fc7291a9cdb558

data/CHANGELOG.md

@@ -7,6 +7,54 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.1] - 2025-10-05
+
+### Added
+- `borg_options` configuration for controlling Borg environment variables
+- Repository path validation to prevent creation in system directories
+- Backup path validation and normalization
+- Archive name sanitization (alphanumeric, dash, underscore, dot only)
+
+### Changed
+- Borg environment variables now configurable via `borg_options` (backward compatible)
+- All backup paths are now normalized to absolute paths
+- Custom archive names are automatically sanitized
+
+### Security
+- Fixed command injection vulnerability in Passbolt CLI execution (now uses Open3.capture3)
+- Added path traversal protection for extract operations
+- Implemented symlink resolution and system path protection for --remove-source
+- Changed to YAML.safe_load_file to prevent arbitrary code execution
+- Added log path validation to prevent writing to system directories
+- Added repository path validation (prevents /bin, /etc, /usr, etc.)
+- Added backup path validation (rejects empty/nil paths)
+- Added archive name sanitization (prevents injection attacks)
+- Made Borg environment options configurable for enhanced security
+- Added SECURITY.md with comprehensive security guidelines and best practices
+- Enhanced test coverage for all security features
+
+## [0.3.0] - 2025-10-05
+
+### Added
+- Auto-initialization feature: Set `auto_init: true` in config to automatically initialize repositories on first use
+- Multi-repository configuration support with per-repository sources
+- `--repository` / `-r` option to target specific repository in multi-repo configs
+- `--all` option to backup all repositories at once
+- Repository-specific Passbolt integration (overrides global settings)
+- Per-source exclude patterns in multi-repo configs
+- BackupConfig wrapper class for multi-repo compatibility
+- Automatic format detection (single vs multi-repo)
+- Support for multiple backup sources per repository
+- Global settings with per-repository overrides
+- `log_file` configuration option to set log path in config file
+- Log file priority: CLI option > config file > default
+
+### Changed
+- Config class now detects and handles both single-repo and multi-repo formats
+- Backup command automatically routes to single or multi-repo implementation
+- Archive naming includes repository name for multi-repo configs
+- CLI now reads log_file from config if --log option not provided
+
 ## [0.2.0] - 2025-10-05
 
 ### Added

data/README.md

@@ -15,7 +15,10 @@ A friendly Ruby frontend for [Borg Backup](https://www.borgbackup.org/). Ruborg
 - 🗂️ **Selective Restore** - Restore individual files or directories from archives
 - 🧹 **Auto-cleanup** - Optionally remove source files after successful backup
 - 📊 **Logging** - Comprehensive logging with daily rotation
+- 🗄️ **Multi-Repository** - Manage multiple backup repositories with different sources
+- 🔄 **Auto-initialization** - Automatically initialize repositories on first use
 - ✅ **Well-tested** - Comprehensive test suite with RSpec
+- 🔒 **Security-focused** - Path validation, safe YAML loading, command injection protection
 
 ## Prerequisites
 
@@ -63,7 +66,9 @@ gem install ruborg
 
 ## Configuration
 
-Create a `ruborg.yml` configuration file:
+Ruborg supports two configuration formats: **single repository** (legacy) and **multi-repository** (recommended for complex setups).
+
+### Single Repository Configuration
 
 ```yaml
 # Repository path
@@ -73,15 +78,11 @@ repository: /path/to/borg/repository
 backup_paths:
   - /home/user/documents
   - /home/user/projects
-  - /etc
 
 # Exclude patterns
 exclude_patterns:
   - "*.tmp"
   - "*.log"
-  - "*/.cache/*"
-  - "*/node_modules/*"
-  - "*/.git/*"
 
 # Compression algorithm (lz4, zstd, zlib, lzma, none)
 compression: lz4
@@ -92,9 +93,70 @@ encryption: repokey
 # Passbolt integration (optional)
 passbolt:
   resource_id: "your-passbolt-resource-uuid"
+
+# Auto-initialize repository (optional, default: false)
+auto_init: true
+
+# Log file path (optional, default: ~/.ruborg/logs/ruborg.log)
+log_file: /var/log/ruborg.log
+
+# Borg environment options (optional)
+borg_options:
+  allow_relocated_repo: true  # Allow relocated repositories (default: true)
+  allow_unencrypted_repo: true  # Allow unencrypted repositories (default: true)
+```
+
+### Multi-Repository Configuration
+
+For managing multiple repositories with different sources:
+
+```yaml
+# Global settings (applied to all repositories unless overridden)
+compression: lz4
+encryption: repokey
+auto_init: true
+passbolt:
+  resource_id: "global-passbolt-id"
+borg_options:
+  allow_relocated_repo: false
+  allow_unencrypted_repo: false
+
+# Multiple repositories
+repositories:
+  - name: documents
+    path: /mnt/backup/documents
+    sources:
+      - name: home-docs
+        paths:
+          - /home/user/documents
+        exclude:
+          - "*.tmp"
+      - name: work-docs
+        paths:
+          - /home/user/work
+        exclude:
+          - "*.log"
+
+  - name: databases
+    path: /mnt/backup/databases
+    # Repository-specific passbolt (overrides global)
+    passbolt:
+      resource_id: "db-specific-passbolt-id"
+    sources:
+      - name: mysql
+        paths:
+          - /var/lib/mysql/dumps
+      - name: postgres
+        paths:
+          - /var/lib/postgresql/dumps
 ```
 
-See `ruborg.yml.example` for a complete configuration template.
+**Multi-repo benefits:**
+- Organize backups by type (documents, databases, media)
+- Different encryption keys per repository
+- Multiple sources per repository
+- Per-source exclude patterns
+- Repository-specific settings override global ones
 
 ## Usage
 
@@ -110,6 +172,7 @@ ruborg init /path/to/repository --passbolt-id "resource-uuid"
 
 ### Create a Backup
 
+**Single repository:**
 ```bash
 # Using default configuration (ruborg.yml)
 ruborg backup
@@ -124,6 +187,18 @@ ruborg backup --name "my-backup-2025-10-04"
 ruborg backup --remove-source
 ```
 
+**Multi-repository:**
+```bash
+# Backup specific repository
+ruborg backup --repository documents
+
+# Backup all repositories
+ruborg backup --all
+
+# Backup specific repository with custom name
+ruborg backup --repository databases --name "db-backup-2025-10-05"
+```
+
 ### List Archives
 
 ```bash
@@ -151,13 +226,23 @@ ruborg info
 
 ## Logging
 
-Ruborg automatically logs all operations to `~/.ruborg/logs/ruborg.log` with daily rotation. You can specify a custom log file:
+Ruborg automatically logs all operations with daily rotation. Log file location priority:
+
+1. **CLI option** (highest priority): `--log /path/to/custom.log`
+2. **Config file**: `log_file: /path/to/log.log`
+3. **Default**: `~/.ruborg/logs/ruborg.log`
+
+**Examples:**
 
 ```bash
-ruborg backup --log /path/to/custom.log
+# Use CLI option (overrides config)
+ruborg backup --log /var/log/ruborg.log
+
+# Or set in config file
+log_file: /var/log/ruborg.log
 ```
 
-Logs include:
+**Logs include:**
 - Operation start/completion timestamps
 - Paths being backed up
 - Archive names created
@@ -191,20 +276,68 @@ passbolt:
 
 Ruborg will automatically retrieve the passphrase when performing backup operations.
 
+## Auto-initialization
+
+Set `auto_init: true` in your configuration file to automatically initialize the repository on first use:
+
+```yaml
+repository: /path/to/borg/repository
+auto_init: true
+passbolt:
+  resource_id: "your-passbolt-resource-uuid"
+backup_paths:
+  - /path/to/backup
+```
+
+When enabled, ruborg will automatically run `borg init` if the repository doesn't exist when you run `backup`, `list`, or `info` commands. The passphrase will be retrieved from Passbolt if configured.
+
+## Security Configuration
+
+Ruborg provides configurable security options via `borg_options`:
+
+```yaml
+borg_options:
+  # Control whether to allow access to relocated repositories
+  # Set to false in production for enhanced security
+  allow_relocated_repo: true  # default: true
+
+  # Control whether to allow access to unencrypted repositories
+  # Set to false to enforce encryption
+  allow_unencrypted_repo: true  # default: true
+```
+
+**Security Features:**
+- **Repository Path Validation**: Prevents creation in system directories (`/bin`, `/etc`, `/usr`, etc.)
+- **Backup Path Validation**: Validates and normalizes all backup source paths
+- **Archive Name Sanitization**: Automatically sanitizes custom archive names
+- **Path Traversal Protection**: Prevents extraction to system directories
+- **Symlink Protection**: Resolves and validates symlinks before deletion with `--remove-source`
+- **Safe YAML Loading**: Uses `YAML.safe_load_file` to prevent code execution
+- **Command Injection Protection**: Uses safe command execution methods
+- **Log Path Validation**: Prevents writing logs to system directories
+
+See [SECURITY.md](SECURITY.md) for detailed security information and best practices.
+
 ## Command Reference
 
 | Command | Description | Options |
 |---------|-------------|---------|
 | `init REPOSITORY` | Initialize a new Borg repository | `--passphrase`, `--passbolt-id`, `--log` |
-| `backup` | Create a backup using config file | `--config`, `--name`, `--remove-source`, `--log` |
-| `list` | List all archives in repository | `--config`, `--log` |
-| `restore ARCHIVE` | Restore files from archive | `--config`, `--destination`, `--path`, `--log` |
-| `info` | Show repository information | `--config`, `--log` |
+| `backup` | Create a backup using config file | `--config`, `--name`, `--remove-source`, `--repository`, `--all`, `--log` |
+| `list` | List all archives in repository | `--config`, `--repository`, `--log` |
+| `restore ARCHIVE` | Restore files from archive | `--config`, `--destination`, `--path`, `--repository`, `--log` |
+| `info` | Show repository information | `--config`, `--repository`, `--log` |
 
 ### Global Options
 
 - `--config`: Path to configuration file (default: `ruborg.yml`)
-- `--log`: Path to log file (default: `~/.ruborg/logs/ruborg.log`)
+- `--log`: Path to log file (overrides config, default: `~/.ruborg/logs/ruborg.log`)
+- `--repository` / `-r`: Repository name (required for multi-repo configs)
+
+### Multi-Repository Options
+
+- `--all`: Backup all repositories (multi-repo config only)
+- `--repository NAME`: Target specific repository by name
 
 ## Development
 
@@ -244,6 +377,7 @@ The test suite includes:
 - Passbolt integration (mocked)
 - CLI commands
 - Logging functionality
+- Comprehensive security tests (path validation, sanitization, etc.)
 
 ## Contributing
 

data/SECURITY.md

@@ -0,0 +1,173 @@
+# Security Policy
+
+## Security Features
+
+Ruborg implements several security measures to protect your backup operations:
+
+### 1. Command Injection Prevention
+- Uses `Open3.capture3` for Passbolt CLI execution (no shell interpolation)
+- Array-based command construction for Borg commands
+- No user input directly interpolated into shell commands
+
+### 2. Path Traversal Protection
+- Validates all destination paths during restore operations
+- Prevents extraction to system directories (`/`, `/etc`, `/bin`, `/usr`, etc.)
+- Normalizes paths to prevent `../` traversal attacks
+
+### 3. Symlink Protection
+- Resolves symlinks before file deletion with `--remove-source`
+- Refuses to delete system directories even when targeted via symlinks
+- Uses `FileUtils.rm_rf` with `secure: true` option
+
+### 4. Safe YAML Loading
+- Uses `YAML.safe_load_file` to prevent arbitrary code execution
+- Rejects YAML files containing Ruby objects or other dangerous constructs
+- Only permits basic data types and Symbol class
+
+### 5. Log Path Validation
+- Validates log file paths to prevent writing to system directories
+- Automatically creates log directories with proper permissions
+- Rejects paths in `/bin`, `/etc`, `/usr`, and other sensitive locations
+
+### 6. Passphrase Handling
+- Passes passphrases via environment variables (never CLI arguments)
+- Prevents passphrase leakage in process listings
+- Uses Passbolt integration for secure password retrieval
+
+### 7. Repository Path Validation
+- Validates repository paths to prevent creation in system directories
+- Rejects empty or nil repository paths
+- Prevents accidental repository creation in `/bin`, `/etc`, `/usr`, etc.
+
+### 8. Backup Path Validation
+- Validates all backup source paths before creating archives
+- Rejects empty, nil, or whitespace-only paths
+- Normalizes relative paths to absolute paths for consistency
+
+### 9. Archive Name Sanitization
+- Sanitizes user-provided archive names to prevent injection attacks
+- Allows only alphanumeric characters, dashes, underscores, and dots
+- Rejects archive names that would become empty after sanitization
+
+### 10. Configurable Borg Environment Options
+- Allows control over relocated repository access via config
+- Allows control over unencrypted repository access via config
+- Defaults to safe settings while maintaining backward compatibility
+
+## Security Best Practices
+
+### When Using `--remove-source`
+⚠️ **Warning**: The `--remove-source` flag permanently deletes source files after backup.
+
+**Recommendations:**
+1. **Test first** without `--remove-source` to verify backups work
+2. **Never use on symlinks** to critical system directories
+3. **Verify backups** before using this flag in production
+4. **Use absolute paths** in configuration to avoid ambiguity
+
+### Configuration File Security
+- Store configuration files with restricted permissions: `chmod 600 ruborg.yml`
+- Never commit Passbolt resource IDs to public repositories
+- Use environment variables for sensitive paths when possible
+
+### Repository Security
+- Use encrypted repositories (default: `encryption: repokey`)
+- Store passphrases in Passbolt, not in config files
+- Use different encryption keys for different repository types
+- Regularly rotate Passbolt passphrases
+- Avoid creating repositories in system directories
+- Use absolute paths for repository locations
+
+### Multi-Repository Considerations
+- Each repository can have its own Passbolt resource ID
+- Validate all source paths before adding to configuration
+- Review exclude patterns to ensure no sensitive files leak
+
+### Archive Naming
+- Use default timestamp-based names when possible
+- If providing custom names, use only alphanumeric characters, dashes, and underscores
+- Avoid special characters or path separators in archive names
+
+### Borg Environment Options
+- Consider disabling `allow_relocated_repo` for production environments
+- Consider disabling `allow_unencrypted_repo` for sensitive data
+- Configure in `ruborg.yml`:
+```yaml
+borg_options:
+  allow_relocated_repo: false  # Reject relocated repositories
+  allow_unencrypted_repo: false  # Reject unencrypted repositories
+```
+
+## Reporting Security Issues
+
+If you discover a security vulnerability, please:
+
+1. **Do NOT** open a public issue
+2. Email security concerns to: mpantel@aegean.gr
+3. Include:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+We will respond within 48 hours and work with you to address the issue.
+
+## Security Audit History
+
+- **v0.3.1** (2025-10-05): Comprehensive security hardening
+  - Fixed command injection in Passbolt CLI execution (uses Open3.capture3)
+  - Added path traversal protection for extract operations
+  - Implemented symlink protection for file deletion with --remove-source
+  - Switched to safe YAML loading (YAML.safe_load_file)
+  - Added log path validation to prevent writing to system directories
+  - Added repository path validation to prevent creation in system directories
+  - Added backup path validation and normalization
+  - Implemented archive name sanitization
+  - Made Borg environment variables configurable
+  - Enhanced test coverage for all security features
+  - Created comprehensive SECURITY.md documentation
+
+- **v0.3.0** (2025-10-05): Multi-repository and auto-initialization features
+  - Added multi-repository configuration support
+  - Added auto-initialization feature
+  - Added configurable log file paths
+  - No security-specific changes in this version
+
+## Dependency Security
+
+Ruborg relies on:
+- **Borg Backup**: Industry-standard backup tool with strong encryption
+- **Passbolt CLI**: Secure password management
+- **Ruby stdlib**: No external gems for core functionality (only Thor for CLI)
+
+Keep dependencies updated:
+```bash
+# Update Borg
+brew upgrade borgbackup  # macOS
+sudo apt update && sudo apt upgrade borgbackup  # Ubuntu
+
+# Update Passbolt CLI
+# Follow https://github.com/passbolt/go-passbolt-cli
+
+# Update Ruby gems
+bundle update
+```
+
+## Security Checklist
+
+Before deploying ruborg in production:
+
+- [ ] Review all paths in configuration files
+- [ ] Set proper file permissions on config (600) and logs (640)
+- [ ] Use Passbolt for all passphrases (never hardcode)
+- [ ] Test restore operations before relying on backups
+- [ ] Never use `--remove-source` without thorough testing
+- [ ] Keep Borg and Passbolt CLI up to date
+- [ ] Review exclude patterns for sensitive data
+- [ ] Use absolute paths in configuration
+- [ ] Enable auto_init only for trusted repository locations
+- [ ] Regularly audit backup logs for anomalies
+- [ ] Validate repository paths are not in system directories
+- [ ] Configure borg_options for your security requirements
+- [ ] Use default archive names or sanitized custom names only
+- [ ] Ensure backup paths don't contain empty or nil values

data/lib/ruborg/backup.rb

@@ -28,8 +28,12 @@ module Ruborg
       # Change to destination directory if specified
       if destination != "."
         require "fileutils"
-        FileUtils.mkdir_p(destination) unless File.directory?(destination)
-        Dir.chdir(destination) do
+
+        # Validate and normalize destination path
+        validated_dest = validate_destination_path(destination)
+        FileUtils.mkdir_p(validated_dest) unless File.directory?(validated_dest)
+
+        Dir.chdir(validated_dest) do
           execute_borg_command(cmd)
         end
       else
@@ -57,7 +61,10 @@ module Ruborg
       end
 
       cmd << "#{@repository.path}::#{archive_name}"
-      cmd += @config.backup_paths
+
+      # Validate and normalize backup paths
+      validated_paths = validate_backup_paths(@config.backup_paths)
+      cmd += validated_paths
 
       cmd
     end
@@ -79,11 +86,53 @@ module Ruborg
       require "fileutils"
 
       @config.backup_paths.each do |path|
-        if File.directory?(path)
-          FileUtils.rm_rf(path)
-        elsif File.file?(path)
-          FileUtils.rm(path)
+        # Resolve symlinks and validate path
+        begin
+          real_path = File.realpath(path)
+        rescue Errno::ENOENT
+          # Path doesn't exist, skip
+          next
+        end
+
+        # Security check: ensure path hasn't been tampered with
+        unless File.exist?(real_path)
+          next
         end
+
+        # Additional safety: don't delete root or system directories
+        if real_path == "/" || real_path.start_with?("/bin", "/sbin", "/usr", "/etc", "/sys", "/proc")
+          raise BorgError, "Refusing to delete system path: #{real_path}"
+        end
+
+        if File.directory?(real_path)
+          FileUtils.rm_rf(real_path, secure: true)
+        elsif File.file?(real_path)
+          FileUtils.rm(real_path)
+        end
+      end
+    end
+
+    def validate_destination_path(destination)
+      # Expand and normalize the path
+      normalized_path = File.expand_path(destination)
+
+      # Security check: prevent path traversal to sensitive directories
+      forbidden_paths = ["/", "/bin", "/sbin", "/usr", "/etc", "/sys", "/proc", "/boot"]
+      forbidden_paths.each do |forbidden|
+        if normalized_path == forbidden || normalized_path.start_with?("#{forbidden}/")
+          raise BorgError, "Invalid destination: refusing to extract to system directory #{normalized_path}"
+        end
+      end
+
+      normalized_path
+    end
+
+    def validate_backup_paths(paths)
+      raise BorgError, "No backup paths specified" if paths.nil? || paths.empty?
+
+      paths.map do |path|
+        raise BorgError, "Empty backup path specified" if path.nil? || path.to_s.strip.empty?
+        File.expand_path(path)
       end
     end
   end

data/lib/ruborg/cli.rb

@@ -7,10 +7,25 @@ module Ruborg
   class CLI < Thor
     class_option :config, type: :string, default: "ruborg.yml", desc: "Path to configuration file"
     class_option :log, type: :string, desc: "Path to log file"
+    class_option :repository, type: :string, aliases: "-r", desc: "Repository name (for multi-repo configs)"
 
     def initialize(*args)
       super
-      @logger = RuborgLogger.new(log_file: options[:log])
+      # Priority: CLI option > config file > default
+      log_path = options[:log]
+      unless log_path
+        # Try to load config to get log_file setting
+        config_path = options[:config] || "ruborg.yml"
+        if File.exist?(config_path)
+          config_data = YAML.safe_load_file(config_path, permitted_classes: [Symbol], aliases: true) rescue {}
+          log_path = config_data["log_file"]
+        end
+      end
+
+      # Validate log path if provided
+      log_path = validate_log_path(log_path) if log_path
+
+      @logger = RuborgLogger.new(log_file: log_path)
     end
 
     desc "init REPOSITORY", "Initialize a new Borg repository"
@@ -31,26 +46,16 @@ module Ruborg
     desc "backup", "Create a backup using configuration file"
     option :name, type: :string, desc: "Archive name"
     option :remove_source, type: :boolean, default: false, desc: "Remove source files after successful backup"
+    option :all, type: :boolean, default: false, desc: "Backup all repositories (multi-repo config only)"
     def backup
       @logger.info("Starting backup operation with config: #{options[:config]}")
       config = Config.new(options[:config])
-      @logger.info("Backing up paths: #{config.backup_paths.join(', ')}")
-      passphrase = fetch_passphrase_from_config(config)
 
-      repo = Repository.new(config.repository, passphrase: passphrase)
-      backup = Backup.new(repo, config: config)
-
-      archive_name = options[:name] || Time.now.strftime("%Y-%m-%d_%H-%M-%S")
-      @logger.info("Creating archive: #{archive_name}")
-      backup.create(name: options[:name], remove_source: options[:remove_source])
-      @logger.info("Backup created successfully: #{archive_name}")
-
-      if options[:remove_source]
-        @logger.info("Removed source files: #{config.backup_paths.join(', ')}")
+      if config.multi_repo?
+        backup_multi_repo(config)
+      else
+        backup_single_repo(config)
       end
-
-      puts "Backup created successfully"
-      puts "Source files removed" if options[:remove_source]
     rescue Error => e
       @logger.error("Backup failed: #{e.message}")
       error_exit(e)
@@ -62,7 +67,15 @@ module Ruborg
       config = Config.new(options[:config])
       passphrase = fetch_passphrase_from_config(config)
 
-      repo = Repository.new(config.repository, passphrase: passphrase)
+      repo = Repository.new(config.repository, passphrase: passphrase, borg_options: config.borg_options)
+
+      # Auto-initialize repository if configured
+      if config.auto_init? && !repo.exists?
+        @logger.info("Auto-initializing repository at #{config.repository}")
+        repo.create
+        puts "Repository auto-initialized at #{config.repository}"
+      end
+
       repo.list
       @logger.info("Successfully listed archives")
     rescue Error => e
@@ -79,7 +92,7 @@ module Ruborg
       config = Config.new(options[:config])
       passphrase = fetch_passphrase_from_config(config)
 
-      repo = Repository.new(config.repository, passphrase: passphrase)
+      repo = Repository.new(config.repository, passphrase: passphrase, borg_options: config.borg_options)
       backup = Backup.new(repo, config: config)
 
       backup.extract(archive_name, destination: options[:destination], path: options[:path])
@@ -101,7 +114,15 @@ module Ruborg
       config = Config.new(options[:config])
       passphrase = fetch_passphrase_from_config(config)
 
-      repo = Repository.new(config.repository, passphrase: passphrase)
+      repo = Repository.new(config.repository, passphrase: passphrase, borg_options: config.borg_options)
+
+      # Auto-initialize repository if configured
+      if config.auto_init? && !repo.exists?
+        @logger.info("Auto-initializing repository at #{config.repository}")
+        repo.create
+        puts "Repository auto-initialized at #{config.repository}"
+      end
+
       repo.info
       @logger.info("Successfully retrieved repository information")
     rescue Error => e
@@ -129,5 +150,168 @@ module Ruborg
       puts "Error: #{error.message}"
       exit 1
     end
+
+    def validate_log_path(log_path)
+      # Expand to absolute path
+      normalized_path = File.expand_path(log_path)
+
+      # Prevent writing to sensitive system directories
+      forbidden_paths = ["/bin", "/sbin", "/usr/bin", "/usr/sbin", "/etc", "/sys", "/proc", "/boot"]
+      forbidden_paths.each do |forbidden|
+        if normalized_path.start_with?("#{forbidden}/")
+          raise ConfigError, "Invalid log path: refusing to write to system directory #{normalized_path}"
+        end
+      end
+
+      # Ensure parent directory exists or can be created
+      log_dir = File.dirname(normalized_path)
+      unless File.directory?(log_dir)
+        begin
+          FileUtils.mkdir_p(log_dir)
+        rescue => e
+          raise ConfigError, "Cannot create log directory #{log_dir}: #{e.message}"
+        end
+      end
+
+      normalized_path
+    end
+
+    # Single repository backup (legacy)
+    def backup_single_repo(config)
+      @logger.info("Backing up paths: #{config.backup_paths.join(', ')}")
+      passphrase = fetch_passphrase_from_config(config)
+
+      repo = Repository.new(config.repository, passphrase: passphrase, borg_options: config.borg_options)
+
+      # Auto-initialize repository if configured
+      if config.auto_init? && !repo.exists?
+        @logger.info("Auto-initializing repository at #{config.repository}")
+        repo.create
+        puts "Repository auto-initialized at #{config.repository}"
+      end
+
+      backup = Backup.new(repo, config: config)
+
+      archive_name = options[:name] ? sanitize_archive_name(options[:name]) : Time.now.strftime("%Y-%m-%d_%H-%M-%S")
+      @logger.info("Creating archive: #{archive_name}")
+      backup.create(name: archive_name, remove_source: options[:remove_source])
+      @logger.info("Backup created successfully: #{archive_name}")
+
+      if options[:remove_source]
+        @logger.info("Removed source files: #{config.backup_paths.join(', ')}")
+      end
+
+      puts "Backup created successfully"
+      puts "Source files removed" if options[:remove_source]
+    end
+
+    # Multi-repository backup
+    def backup_multi_repo(config)
+      global_settings = config.global_settings
+      repos_to_backup = if options[:all]
+                          config.repositories
+                        elsif options[:repository]
+                          repo_config = config.get_repository(options[:repository])
+                          raise ConfigError, "Repository '#{options[:repository]}' not found" unless repo_config
+                          [repo_config]
+                        else
+                          raise ConfigError, "Please specify --repository or --all for multi-repo config"
+                        end
+
+      repos_to_backup.each do |repo_config|
+        backup_repository(repo_config, global_settings)
+      end
+    end
+
+    def backup_repository(repo_config, global_settings)
+      repo_name = repo_config["name"]
+      puts "\n--- Backing up repository: #{repo_name} ---"
+      @logger.info("Backing up repository: #{repo_name}")
+
+      # Merge global settings with repo-specific settings (repo-specific takes precedence)
+      merged_config = global_settings.merge(repo_config)
+
+      passphrase = fetch_passphrase_for_repo(merged_config)
+      borg_opts = merged_config["borg_options"] || {}
+      repo = Repository.new(repo_config["path"], passphrase: passphrase, borg_options: borg_opts)
+
+      # Auto-initialize if configured
+      auto_init = merged_config["auto_init"] || false
+      if auto_init && !repo.exists?
+        @logger.info("Auto-initializing repository at #{repo_config['path']}")
+        repo.create
+        puts "Repository auto-initialized at #{repo_config['path']}"
+      end
+
+      # Create backup config wrapper
+      backup_config = BackupConfig.new(repo_config, merged_config)
+      backup = Backup.new(repo, config: backup_config)
+
+      archive_name = options[:name] ? sanitize_archive_name(options[:name]) : "#{repo_name}-#{Time.now.strftime('%Y-%m-%d_%H-%M-%S')}"
+      @logger.info("Creating archive: #{archive_name}")
+
+      sources = repo_config["sources"] || []
+      @logger.info("Backing up #{sources.size} source(s)")
+
+      backup.create(name: archive_name, remove_source: options[:remove_source])
+      @logger.info("Backup created successfully: #{archive_name}")
+
+      puts "✓ Backup created: #{archive_name}"
+      puts "  Sources removed" if options[:remove_source]
+    end
+
+    def fetch_passphrase_for_repo(repo_config)
+      passbolt_config = repo_config["passbolt"]
+      return nil if passbolt_config.nil? || passbolt_config.empty?
+
+      Passbolt.new(resource_id: passbolt_config["resource_id"]).get_password
+    end
+
+    def sanitize_archive_name(name)
+      raise ConfigError, "Archive name cannot be empty" if name.nil? || name.strip.empty?
+
+      # Check if name contains at least one valid character before sanitization
+      unless name =~ /[a-zA-Z0-9._-]/
+        raise ConfigError, "Invalid archive name: must contain at least one valid character (alphanumeric, dot, dash, or underscore)"
+      end
+
+      # Allow only alphanumeric, dash, underscore, and dot
+      sanitized = name.gsub(/[^a-zA-Z0-9._-]/, '_')
+
+      sanitized
+    end
+
+    # Wrapper class to adapt multi-repo config to existing Backup class
+    class BackupConfig
+      def initialize(repo_config, merged_settings)
+        @repo_config = repo_config
+        @merged_settings = merged_settings
+      end
+
+      def backup_paths
+        sources = @repo_config["sources"] || []
+        sources.flat_map do |source|
+          source["paths"] || []
+        end
+      end
+
+      def exclude_patterns
+        patterns = []
+        sources = @repo_config["sources"] || []
+        sources.each do |source|
+          patterns += (source["exclude"] || [])
+        end
+        patterns += (@merged_settings["exclude_patterns"] || [])
+        patterns.uniq
+      end
+
+      def compression
+        @merged_settings["compression"] || "lz4"
+      end
+
+      def encryption_mode
+        @merged_settings["encryption"] || "repokey"
+      end
+    end
   end
 end

data/lib/ruborg/config.rb

@@ -11,16 +11,20 @@ module Ruborg
     def initialize(config_path)
       @config_path = config_path
       load_config
+      detect_format
     end
 
     def load_config
       raise ConfigError, "Configuration file not found: #{@config_path}" unless File.exist?(@config_path)
 
-      @data = YAML.load_file(@config_path)
+      @data = YAML.safe_load_file(@config_path, permitted_classes: [Symbol], aliases: true)
     rescue Psych::SyntaxError => e
       raise ConfigError, "Invalid YAML syntax: #{e.message}"
+    rescue Psych::DisallowedClass => e
+      raise ConfigError, "Invalid YAML content: #{e.message}"
     end
 
+    # Legacy single-repo accessors (for backward compatibility)
     def repository
       @data["repository"]
     end
@@ -30,19 +34,98 @@ module Ruborg
     end
 
     def exclude_patterns
-      @data["exclude_patterns"] || []
+      patterns = @data["exclude_patterns"] || []
+      validate_exclude_patterns(patterns)
     end
 
     def compression
-      @data["compression"] || "lz4"
+      value = @data["compression"] || "lz4"
+      validate_compression(value)
     end
 
     def encryption_mode
-      @data["encryption"] || "repokey"
+      value = @data["encryption"] || "repokey"
+      validate_encryption(value)
     end
 
     def passbolt_integration
       @data["passbolt"] || {}
     end
+
+    def auto_init?
+      @data["auto_init"] || false
+    end
+
+    def log_file
+      @data["log_file"]
+    end
+
+    def borg_options
+      @data["borg_options"] || {}
+    end
+
+    # New multi-repo support
+    def multi_repo?
+      @multi_repo
+    end
+
+    def repositories
+      return [] unless multi_repo?
+      @data["repositories"] || []
+    end
+
+    def get_repository(name)
+      return nil unless multi_repo?
+      repositories.find { |r| r["name"] == name }
+    end
+
+    def repository_names
+      return [] unless multi_repo?
+      repositories.map { |r| r["name"] }
+    end
+
+    def global_settings
+      @data.slice("passbolt", "compression", "encryption", "auto_init")
+    end
+
+    private
+
+    VALID_COMPRESSION = ["lz4", "zstd", "zlib", "lzma", "none"].freeze
+    VALID_ENCRYPTION = ["repokey", "keyfile", "none", "authenticated", "repokey-blake2",
+                        "keyfile-blake2", "authenticated-blake2"].freeze
+
+    def detect_format
+      @multi_repo = @data.key?("repositories")
+    end
+
+    def validate_compression(compression)
+      unless VALID_COMPRESSION.include?(compression)
+        raise ConfigError, "Invalid compression '#{compression}'. Must be one of: #{VALID_COMPRESSION.join(', ')}"
+      end
+      compression
+    end
+
+    def validate_encryption(encryption)
+      unless VALID_ENCRYPTION.include?(encryption)
+        raise ConfigError, "Invalid encryption mode '#{encryption}'. Must be one of: #{VALID_ENCRYPTION.join(', ')}"
+      end
+      encryption
+    end
+
+    def validate_exclude_patterns(patterns)
+      return patterns if patterns.empty?
+
+      patterns.each do |pattern|
+        if pattern.nil? || pattern.to_s.strip.empty?
+          raise ConfigError, "Exclude pattern cannot be empty or nil"
+        end
+
+        if pattern.length > 1000
+          raise ConfigError, "Exclude pattern too long (max 1000 characters): #{pattern[0..50]}..."
+        end
+      end
+
+      patterns
+    end
   end
 end

data/lib/ruborg/logger.rb

@@ -10,7 +10,7 @@ module Ruborg
 
     def initialize(log_file: nil)
       @log_file = log_file || default_log_file
-      ensure_log_directory
+      validate_and_ensure_log_directory
       @logger = Logger.new(@log_file, "daily")
       @logger.level = Logger::INFO
       @logger.formatter = proc do |severity, datetime, progname, msg|
@@ -45,8 +45,21 @@ module Ruborg
       dir
     end
 
-    def ensure_log_directory
-      FileUtils.mkdir_p(File.dirname(@log_file)) unless File.directory?(File.dirname(@log_file))
+    def validate_and_ensure_log_directory
+      # Validate log file path for security
+      normalized_path = File.expand_path(@log_file)
+
+      # Prevent writing to sensitive system directories
+      forbidden_paths = ["/bin", "/sbin", "/usr/bin", "/usr/sbin", "/etc", "/sys", "/proc", "/boot"]
+      forbidden_paths.each do |forbidden|
+        if normalized_path.start_with?("#{forbidden}/")
+          raise ConfigError, "Invalid log path: refusing to write to system directory #{normalized_path}"
+        end
+      end
+
+      # Ensure log directory exists
+      log_dir = File.dirname(normalized_path)
+      FileUtils.mkdir_p(log_dir) unless File.directory?(log_dir)
     end
   end
 end

data/lib/ruborg/passbolt.rb

@@ -30,8 +30,9 @@ module Ruborg
     end
 
     def execute_command(cmd)
-      output = `#{cmd.join(' ')}`
-      [output, $?.success?]
+      require "open3"
+      stdout, stderr, status = Open3.capture3(*cmd)
+      [stdout, status.success?]
     end
 
     def parse_password(json_output)

data/lib/ruborg/repository.rb

@@ -5,9 +5,10 @@ module Ruborg
   class Repository
     attr_reader :path
 
-    def initialize(path, passphrase: nil)
-      @path = path
+    def initialize(path, passphrase: nil, borg_options: {})
+      @path = validate_repo_path(path)
       @passphrase = passphrase
+      @borg_options = borg_options
     end
 
     def exists?
@@ -37,11 +38,32 @@ module Ruborg
 
     private
 
+    def validate_repo_path(path)
+      raise BorgError, "Repository path cannot be empty" if path.nil? || path.empty?
+
+      normalized = File.expand_path(path)
+
+      # Prevent repository creation in critical system directories
+      forbidden = ["/bin", "/sbin", "/usr/bin", "/usr/sbin", "/etc", "/sys", "/proc", "/boot", "/dev"]
+      forbidden.each do |forbidden_path|
+        if normalized == forbidden_path || normalized.start_with?("#{forbidden_path}/")
+          raise BorgError, "Invalid repository path: refusing to use system directory #{normalized}"
+        end
+      end
+
+      normalized
+    end
+
     def execute_borg_command(cmd)
       env = {}
       env["BORG_PASSPHRASE"] = @passphrase if @passphrase
-      env["BORG_RELOCATED_REPO_ACCESS_IS_OK"] = "yes"
-      env["BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK"] = "yes"
+
+      # Apply Borg environment options from config (defaults to yes for backward compatibility)
+      allow_relocated = @borg_options.fetch("allow_relocated_repo", true)
+      allow_unencrypted = @borg_options.fetch("allow_unencrypted_repo", true)
+
+      env["BORG_RELOCATED_REPO_ACCESS_IS_OK"] = allow_relocated ? "yes" : "no"
+      env["BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK"] = allow_unencrypted ? "yes" : "no"
 
       # Redirect stdin from /dev/null to prevent interactive prompts
       result = system(env, *cmd, in: "/dev/null")

data/lib/ruborg/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Ruborg
-  VERSION = "0.2.0"
+  VERSION = "0.3.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruborg
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Michail Pantelelis
@@ -110,6 +110,7 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - exe/ruborg
 - lib/ruborg.rb
 - lib/ruborg/backup.rb