ruborg 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b3dfe277e22cf29ef1132f479b8e8a969e87c69b383529b7f05eb7238ac5ea07
-  data.tar.gz: fcf98cabcd5f4636fc513e69e3b446747c9ca2f054f6480f4da60416ec865f0d
+  metadata.gz: 0bb6c1c5f47b1fbb4538310a929914b0e744bcdb30d5e5635c4246df778e2113
+  data.tar.gz: bda5cf063fe587a047dd36fa9c5e948d8130e47501a53eabef9c34a3af7ae361
 SHA512:
-  metadata.gz: 159296240a1cec2e7791edb3689bf032569d8c1f4fda0ac5c1522e92076fec8c719dba3117326c9fcb9e074ffa295ed71a75b500657625d1ce71fab391b441c2
-  data.tar.gz: f6385fa1ff56520719b1f8b3985931b4083b3139889b34ed4d1dcb5d449eec8ba98e96f030988cf03cdcb5744f47255ef3b7a605e7bb040d6b1f2c0446ab3b81
+  metadata.gz: 8828dacb76519557d51876327133491318bd199e589fb695d08a94af1a73a3c34772f022b6630e199a2c1ab9ab7d78dcce043a402bfa0f418ae51262aad80e8f
+  data.tar.gz: 99b7e79eb2e50240862f7ade79291d9a76469385f2b7e8949df8e6ac3251f9adcbe2f605e42c09364616c028f10575593c3e0a1df1d020bcf8fc7291a9cdb558

data/CHANGELOG.md

@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.1] - 2025-10-05
+
+### Added
+- `borg_options` configuration for controlling Borg environment variables
+- Repository path validation to prevent creation in system directories
+- Backup path validation and normalization
+- Archive name sanitization (alphanumeric, dash, underscore, dot only)
+
+### Changed
+- Borg environment variables now configurable via `borg_options` (backward compatible)
+- All backup paths are now normalized to absolute paths
+- Custom archive names are automatically sanitized
+
+### Security
+- Fixed command injection vulnerability in Passbolt CLI execution (now uses Open3.capture3)
+- Added path traversal protection for extract operations
+- Implemented symlink resolution and system path protection for --remove-source
+- Changed to YAML.safe_load_file to prevent arbitrary code execution
+- Added log path validation to prevent writing to system directories
+- Added repository path validation (prevents /bin, /etc, /usr, etc.)
+- Added backup path validation (rejects empty/nil paths)
+- Added archive name sanitization (prevents injection attacks)
+- Made Borg environment options configurable for enhanced security
+- Added SECURITY.md with comprehensive security guidelines and best practices
+- Enhanced test coverage for all security features
+
 ## [0.3.0] - 2025-10-05
 
 ### Added

data/README.md

@@ -18,6 +18,7 @@ A friendly Ruby frontend for [Borg Backup](https://www.borgbackup.org/). Ruborg
 - 🗄️ **Multi-Repository** - Manage multiple backup repositories with different sources
 - 🔄 **Auto-initialization** - Automatically initialize repositories on first use
 - ✅ **Well-tested** - Comprehensive test suite with RSpec
+- 🔒 **Security-focused** - Path validation, safe YAML loading, command injection protection
 
 ## Prerequisites
 
@@ -98,6 +99,11 @@ auto_init: true
 
 # Log file path (optional, default: ~/.ruborg/logs/ruborg.log)
 log_file: /var/log/ruborg.log
+
+# Borg environment options (optional)
+borg_options:
+  allow_relocated_repo: true  # Allow relocated repositories (default: true)
+  allow_unencrypted_repo: true  # Allow unencrypted repositories (default: true)
 ```
 
 ### Multi-Repository Configuration
@@ -111,6 +117,9 @@ encryption: repokey
 auto_init: true
 passbolt:
   resource_id: "global-passbolt-id"
+borg_options:
+  allow_relocated_repo: false
+  allow_unencrypted_repo: false
 
 # Multiple repositories
 repositories:
@@ -282,6 +291,33 @@ backup_paths:
 
 When enabled, ruborg will automatically run `borg init` if the repository doesn't exist when you run `backup`, `list`, or `info` commands. The passphrase will be retrieved from Passbolt if configured.
 
+## Security Configuration
+
+Ruborg provides configurable security options via `borg_options`:
+
+```yaml
+borg_options:
+  # Control whether to allow access to relocated repositories
+  # Set to false in production for enhanced security
+  allow_relocated_repo: true  # default: true
+
+  # Control whether to allow access to unencrypted repositories
+  # Set to false to enforce encryption
+  allow_unencrypted_repo: true  # default: true
+```
+
+**Security Features:**
+- **Repository Path Validation**: Prevents creation in system directories (`/bin`, `/etc`, `/usr`, etc.)
+- **Backup Path Validation**: Validates and normalizes all backup source paths
+- **Archive Name Sanitization**: Automatically sanitizes custom archive names
+- **Path Traversal Protection**: Prevents extraction to system directories
+- **Symlink Protection**: Resolves and validates symlinks before deletion with `--remove-source`
+- **Safe YAML Loading**: Uses `YAML.safe_load_file` to prevent code execution
+- **Command Injection Protection**: Uses safe command execution methods
+- **Log Path Validation**: Prevents writing logs to system directories
+
+See [SECURITY.md](SECURITY.md) for detailed security information and best practices.
+
 ## Command Reference
 
 | Command | Description | Options |
@@ -341,6 +377,7 @@ The test suite includes:
 - Passbolt integration (mocked)
 - CLI commands
 - Logging functionality
+- Comprehensive security tests (path validation, sanitization, etc.)
 
 ## Contributing
 

data/SECURITY.md

@@ -0,0 +1,173 @@
+# Security Policy
+
+## Security Features
+
+Ruborg implements several security measures to protect your backup operations:
+
+### 1. Command Injection Prevention
+- Uses `Open3.capture3` for Passbolt CLI execution (no shell interpolation)
+- Array-based command construction for Borg commands
+- No user input directly interpolated into shell commands
+
+### 2. Path Traversal Protection
+- Validates all destination paths during restore operations
+- Prevents extraction to system directories (`/`, `/etc`, `/bin`, `/usr`, etc.)
+- Normalizes paths to prevent `../` traversal attacks
+
+### 3. Symlink Protection
+- Resolves symlinks before file deletion with `--remove-source`
+- Refuses to delete system directories even when targeted via symlinks
+- Uses `FileUtils.rm_rf` with `secure: true` option
+
+### 4. Safe YAML Loading
+- Uses `YAML.safe_load_file` to prevent arbitrary code execution
+- Rejects YAML files containing Ruby objects or other dangerous constructs
+- Only permits basic data types and Symbol class
+
+### 5. Log Path Validation
+- Validates log file paths to prevent writing to system directories
+- Automatically creates log directories with proper permissions
+- Rejects paths in `/bin`, `/etc`, `/usr`, and other sensitive locations
+
+### 6. Passphrase Handling
+- Passes passphrases via environment variables (never CLI arguments)
+- Prevents passphrase leakage in process listings
+- Uses Passbolt integration for secure password retrieval
+
+### 7. Repository Path Validation
+- Validates repository paths to prevent creation in system directories
+- Rejects empty or nil repository paths
+- Prevents accidental repository creation in `/bin`, `/etc`, `/usr`, etc.
+
+### 8. Backup Path Validation
+- Validates all backup source paths before creating archives
+- Rejects empty, nil, or whitespace-only paths
+- Normalizes relative paths to absolute paths for consistency
+
+### 9. Archive Name Sanitization
+- Sanitizes user-provided archive names to prevent injection attacks
+- Allows only alphanumeric characters, dashes, underscores, and dots
+- Rejects archive names that would become empty after sanitization
+
+### 10. Configurable Borg Environment Options
+- Allows control over relocated repository access via config
+- Allows control over unencrypted repository access via config
+- Defaults to safe settings while maintaining backward compatibility
+
+## Security Best Practices
+
+### When Using `--remove-source`
+⚠️ **Warning**: The `--remove-source` flag permanently deletes source files after backup.
+
+**Recommendations:**
+1. **Test first** without `--remove-source` to verify backups work
+2. **Never use on symlinks** to critical system directories
+3. **Verify backups** before using this flag in production
+4. **Use absolute paths** in configuration to avoid ambiguity
+
+### Configuration File Security
+- Store configuration files with restricted permissions: `chmod 600 ruborg.yml`
+- Never commit Passbolt resource IDs to public repositories
+- Use environment variables for sensitive paths when possible
+
+### Repository Security
+- Use encrypted repositories (default: `encryption: repokey`)
+- Store passphrases in Passbolt, not in config files
+- Use different encryption keys for different repository types
+- Regularly rotate Passbolt passphrases
+- Avoid creating repositories in system directories
+- Use absolute paths for repository locations
+
+### Multi-Repository Considerations
+- Each repository can have its own Passbolt resource ID
+- Validate all source paths before adding to configuration
+- Review exclude patterns to ensure no sensitive files leak
+
+### Archive Naming
+- Use default timestamp-based names when possible
+- If providing custom names, use only alphanumeric characters, dashes, and underscores
+- Avoid special characters or path separators in archive names
+
+### Borg Environment Options
+- Consider disabling `allow_relocated_repo` for production environments
+- Consider disabling `allow_unencrypted_repo` for sensitive data
+- Configure in `ruborg.yml`:
+```yaml
+borg_options:
+  allow_relocated_repo: false  # Reject relocated repositories
+  allow_unencrypted_repo: false  # Reject unencrypted repositories
+```
+
+## Reporting Security Issues
+
+If you discover a security vulnerability, please:
+
+1. **Do NOT** open a public issue
+2. Email security concerns to: mpantel@aegean.gr
+3. Include:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+We will respond within 48 hours and work with you to address the issue.
+
+## Security Audit History
+
+- **v0.3.1** (2025-10-05): Comprehensive security hardening
+  - Fixed command injection in Passbolt CLI execution (uses Open3.capture3)
+  - Added path traversal protection for extract operations
+  - Implemented symlink protection for file deletion with --remove-source
+  - Switched to safe YAML loading (YAML.safe_load_file)
+  - Added log path validation to prevent writing to system directories
+  - Added repository path validation to prevent creation in system directories
+  - Added backup path validation and normalization
+  - Implemented archive name sanitization
+  - Made Borg environment variables configurable
+  - Enhanced test coverage for all security features
+  - Created comprehensive SECURITY.md documentation
+
+- **v0.3.0** (2025-10-05): Multi-repository and auto-initialization features
+  - Added multi-repository configuration support
+  - Added auto-initialization feature
+  - Added configurable log file paths
+  - No security-specific changes in this version
+
+## Dependency Security
+
+Ruborg relies on:
+- **Borg Backup**: Industry-standard backup tool with strong encryption
+- **Passbolt CLI**: Secure password management
+- **Ruby stdlib**: No external gems for core functionality (only Thor for CLI)
+
+Keep dependencies updated:
+```bash
+# Update Borg
+brew upgrade borgbackup  # macOS
+sudo apt update && sudo apt upgrade borgbackup  # Ubuntu
+
+# Update Passbolt CLI
+# Follow https://github.com/passbolt/go-passbolt-cli
+
+# Update Ruby gems
+bundle update
+```
+
+## Security Checklist
+
+Before deploying ruborg in production:
+
+- [ ] Review all paths in configuration files
+- [ ] Set proper file permissions on config (600) and logs (640)
+- [ ] Use Passbolt for all passphrases (never hardcode)
+- [ ] Test restore operations before relying on backups
+- [ ] Never use `--remove-source` without thorough testing
+- [ ] Keep Borg and Passbolt CLI up to date
+- [ ] Review exclude patterns for sensitive data
+- [ ] Use absolute paths in configuration
+- [ ] Enable auto_init only for trusted repository locations
+- [ ] Regularly audit backup logs for anomalies
+- [ ] Validate repository paths are not in system directories
+- [ ] Configure borg_options for your security requirements
+- [ ] Use default archive names or sanitized custom names only
+- [ ] Ensure backup paths don't contain empty or nil values

data/lib/ruborg/backup.rb

@@ -28,8 +28,12 @@ module Ruborg
       # Change to destination directory if specified
       if destination != "."
         require "fileutils"
-        FileUtils.mkdir_p(destination) unless File.directory?(destination)
-        Dir.chdir(destination) do
+
+        # Validate and normalize destination path
+        validated_dest = validate_destination_path(destination)
+        FileUtils.mkdir_p(validated_dest) unless File.directory?(validated_dest)
+
+        Dir.chdir(validated_dest) do
           execute_borg_command(cmd)
         end
       else
@@ -57,7 +61,10 @@ module Ruborg
       end
 
       cmd << "#{@repository.path}::#{archive_name}"
-      cmd += @config.backup_paths
+
+      # Validate and normalize backup paths
+      validated_paths = validate_backup_paths(@config.backup_paths)
+      cmd += validated_paths
 
       cmd
     end
@@ -79,11 +86,53 @@ module Ruborg
       require "fileutils"
 
       @config.backup_paths.each do |path|
-        if File.directory?(path)
-          FileUtils.rm_rf(path)
-        elsif File.file?(path)
-          FileUtils.rm(path)
+        # Resolve symlinks and validate path
+        begin
+          real_path = File.realpath(path)
+        rescue Errno::ENOENT
+          # Path doesn't exist, skip
+          next
+        end
+
+        # Security check: ensure path hasn't been tampered with
+        unless File.exist?(real_path)
+          next
         end
+
+        # Additional safety: don't delete root or system directories
+        if real_path == "/" || real_path.start_with?("/bin", "/sbin", "/usr", "/etc", "/sys", "/proc")
+          raise BorgError, "Refusing to delete system path: #{real_path}"
+        end
+
+        if File.directory?(real_path)
+          FileUtils.rm_rf(real_path, secure: true)
+        elsif File.file?(real_path)
+          FileUtils.rm(real_path)
+        end
+      end
+    end
+
+    def validate_destination_path(destination)
+      # Expand and normalize the path
+      normalized_path = File.expand_path(destination)
+
+      # Security check: prevent path traversal to sensitive directories
+      forbidden_paths = ["/", "/bin", "/sbin", "/usr", "/etc", "/sys", "/proc", "/boot"]
+      forbidden_paths.each do |forbidden|
+        if normalized_path == forbidden || normalized_path.start_with?("#{forbidden}/")
+          raise BorgError, "Invalid destination: refusing to extract to system directory #{normalized_path}"
+        end
+      end
+
+      normalized_path
+    end
+
+    def validate_backup_paths(paths)
+      raise BorgError, "No backup paths specified" if paths.nil? || paths.empty?
+
+      paths.map do |path|
+        raise BorgError, "Empty backup path specified" if path.nil? || path.to_s.strip.empty?
+        File.expand_path(path)
       end
     end
   end

data/lib/ruborg/cli.rb

@@ -17,10 +17,14 @@ module Ruborg
         # Try to load config to get log_file setting
         config_path = options[:config] || "ruborg.yml"
         if File.exist?(config_path)
-          config_data = YAML.load_file(config_path) rescue {}
+          config_data = YAML.safe_load_file(config_path, permitted_classes: [Symbol], aliases: true) rescue {}
           log_path = config_data["log_file"]
         end
       end
+
+      # Validate log path if provided
+      log_path = validate_log_path(log_path) if log_path
+
       @logger = RuborgLogger.new(log_file: log_path)
     end
 
@@ -63,7 +67,7 @@ module Ruborg
       config = Config.new(options[:config])
       passphrase = fetch_passphrase_from_config(config)
 
-      repo = Repository.new(config.repository, passphrase: passphrase)
+      repo = Repository.new(config.repository, passphrase: passphrase, borg_options: config.borg_options)
 
       # Auto-initialize repository if configured
       if config.auto_init? && !repo.exists?
@@ -88,7 +92,7 @@ module Ruborg
       config = Config.new(options[:config])
       passphrase = fetch_passphrase_from_config(config)
 
-      repo = Repository.new(config.repository, passphrase: passphrase)
+      repo = Repository.new(config.repository, passphrase: passphrase, borg_options: config.borg_options)
       backup = Backup.new(repo, config: config)
 
       backup.extract(archive_name, destination: options[:destination], path: options[:path])
@@ -110,7 +114,7 @@ module Ruborg
       config = Config.new(options[:config])
       passphrase = fetch_passphrase_from_config(config)
 
-      repo = Repository.new(config.repository, passphrase: passphrase)
+      repo = Repository.new(config.repository, passphrase: passphrase, borg_options: config.borg_options)
 
       # Auto-initialize repository if configured
       if config.auto_init? && !repo.exists?
@@ -147,12 +151,37 @@ module Ruborg
       exit 1
     end
 
+    def validate_log_path(log_path)
+      # Expand to absolute path
+      normalized_path = File.expand_path(log_path)
+
+      # Prevent writing to sensitive system directories
+      forbidden_paths = ["/bin", "/sbin", "/usr/bin", "/usr/sbin", "/etc", "/sys", "/proc", "/boot"]
+      forbidden_paths.each do |forbidden|
+        if normalized_path.start_with?("#{forbidden}/")
+          raise ConfigError, "Invalid log path: refusing to write to system directory #{normalized_path}"
+        end
+      end
+
+      # Ensure parent directory exists or can be created
+      log_dir = File.dirname(normalized_path)
+      unless File.directory?(log_dir)
+        begin
+          FileUtils.mkdir_p(log_dir)
+        rescue => e
+          raise ConfigError, "Cannot create log directory #{log_dir}: #{e.message}"
+        end
+      end
+
+      normalized_path
+    end
+
     # Single repository backup (legacy)
     def backup_single_repo(config)
       @logger.info("Backing up paths: #{config.backup_paths.join(', ')}")
       passphrase = fetch_passphrase_from_config(config)
 
-      repo = Repository.new(config.repository, passphrase: passphrase)
+      repo = Repository.new(config.repository, passphrase: passphrase, borg_options: config.borg_options)
 
       # Auto-initialize repository if configured
       if config.auto_init? && !repo.exists?
@@ -163,9 +192,9 @@ module Ruborg
 
       backup = Backup.new(repo, config: config)
 
-      archive_name = options[:name] || Time.now.strftime("%Y-%m-%d_%H-%M-%S")
+      archive_name = options[:name] ? sanitize_archive_name(options[:name]) : Time.now.strftime("%Y-%m-%d_%H-%M-%S")
       @logger.info("Creating archive: #{archive_name}")
-      backup.create(name: options[:name], remove_source: options[:remove_source])
+      backup.create(name: archive_name, remove_source: options[:remove_source])
       @logger.info("Backup created successfully: #{archive_name}")
 
       if options[:remove_source]
@@ -203,7 +232,8 @@ module Ruborg
       merged_config = global_settings.merge(repo_config)
 
       passphrase = fetch_passphrase_for_repo(merged_config)
-      repo = Repository.new(repo_config["path"], passphrase: passphrase)
+      borg_opts = merged_config["borg_options"] || {}
+      repo = Repository.new(repo_config["path"], passphrase: passphrase, borg_options: borg_opts)
 
       # Auto-initialize if configured
       auto_init = merged_config["auto_init"] || false
@@ -217,7 +247,7 @@ module Ruborg
       backup_config = BackupConfig.new(repo_config, merged_config)
       backup = Backup.new(repo, config: backup_config)
 
-      archive_name = options[:name] || "#{repo_name}-#{Time.now.strftime('%Y-%m-%d_%H-%M-%S')}"
+      archive_name = options[:name] ? sanitize_archive_name(options[:name]) : "#{repo_name}-#{Time.now.strftime('%Y-%m-%d_%H-%M-%S')}"
       @logger.info("Creating archive: #{archive_name}")
 
       sources = repo_config["sources"] || []
@@ -237,6 +267,20 @@ module Ruborg
       Passbolt.new(resource_id: passbolt_config["resource_id"]).get_password
     end
 
+    def sanitize_archive_name(name)
+      raise ConfigError, "Archive name cannot be empty" if name.nil? || name.strip.empty?
+
+      # Check if name contains at least one valid character before sanitization
+      unless name =~ /[a-zA-Z0-9._-]/
+        raise ConfigError, "Invalid archive name: must contain at least one valid character (alphanumeric, dot, dash, or underscore)"
+      end
+
+      # Allow only alphanumeric, dash, underscore, and dot
+      sanitized = name.gsub(/[^a-zA-Z0-9._-]/, '_')
+
+      sanitized
+    end
+
     # Wrapper class to adapt multi-repo config to existing Backup class
     class BackupConfig
       def initialize(repo_config, merged_settings)

data/lib/ruborg/config.rb

@@ -17,9 +17,11 @@ module Ruborg
     def load_config
       raise ConfigError, "Configuration file not found: #{@config_path}" unless File.exist?(@config_path)
 
-      @data = YAML.load_file(@config_path)
+      @data = YAML.safe_load_file(@config_path, permitted_classes: [Symbol], aliases: true)
     rescue Psych::SyntaxError => e
       raise ConfigError, "Invalid YAML syntax: #{e.message}"
+    rescue Psych::DisallowedClass => e
+      raise ConfigError, "Invalid YAML content: #{e.message}"
     end
 
     # Legacy single-repo accessors (for backward compatibility)
@@ -32,15 +34,18 @@ module Ruborg
     end
 
     def exclude_patterns
-      @data["exclude_patterns"] || []
+      patterns = @data["exclude_patterns"] || []
+      validate_exclude_patterns(patterns)
     end
 
     def compression
-      @data["compression"] || "lz4"
+      value = @data["compression"] || "lz4"
+      validate_compression(value)
     end
 
     def encryption_mode
-      @data["encryption"] || "repokey"
+      value = @data["encryption"] || "repokey"
+      validate_encryption(value)
     end
 
     def passbolt_integration
@@ -55,6 +60,10 @@ module Ruborg
       @data["log_file"]
     end
 
+    def borg_options
+      @data["borg_options"] || {}
+    end
+
     # New multi-repo support
     def multi_repo?
       @multi_repo
@@ -81,8 +90,42 @@ module Ruborg
 
     private
 
+    VALID_COMPRESSION = ["lz4", "zstd", "zlib", "lzma", "none"].freeze
+    VALID_ENCRYPTION = ["repokey", "keyfile", "none", "authenticated", "repokey-blake2",
+                        "keyfile-blake2", "authenticated-blake2"].freeze
+
     def detect_format
       @multi_repo = @data.key?("repositories")
     end
+
+    def validate_compression(compression)
+      unless VALID_COMPRESSION.include?(compression)
+        raise ConfigError, "Invalid compression '#{compression}'. Must be one of: #{VALID_COMPRESSION.join(', ')}"
+      end
+      compression
+    end
+
+    def validate_encryption(encryption)
+      unless VALID_ENCRYPTION.include?(encryption)
+        raise ConfigError, "Invalid encryption mode '#{encryption}'. Must be one of: #{VALID_ENCRYPTION.join(', ')}"
+      end
+      encryption
+    end
+
+    def validate_exclude_patterns(patterns)
+      return patterns if patterns.empty?
+
+      patterns.each do |pattern|
+        if pattern.nil? || pattern.to_s.strip.empty?
+          raise ConfigError, "Exclude pattern cannot be empty or nil"
+        end
+
+        if pattern.length > 1000
+          raise ConfigError, "Exclude pattern too long (max 1000 characters): #{pattern[0..50]}..."
+        end
+      end
+
+      patterns
+    end
   end
 end

data/lib/ruborg/logger.rb

@@ -10,7 +10,7 @@ module Ruborg
 
     def initialize(log_file: nil)
       @log_file = log_file || default_log_file
-      ensure_log_directory
+      validate_and_ensure_log_directory
       @logger = Logger.new(@log_file, "daily")
       @logger.level = Logger::INFO
       @logger.formatter = proc do |severity, datetime, progname, msg|
@@ -45,8 +45,21 @@ module Ruborg
       dir
     end
 
-    def ensure_log_directory
-      FileUtils.mkdir_p(File.dirname(@log_file)) unless File.directory?(File.dirname(@log_file))
+    def validate_and_ensure_log_directory
+      # Validate log file path for security
+      normalized_path = File.expand_path(@log_file)
+
+      # Prevent writing to sensitive system directories
+      forbidden_paths = ["/bin", "/sbin", "/usr/bin", "/usr/sbin", "/etc", "/sys", "/proc", "/boot"]
+      forbidden_paths.each do |forbidden|
+        if normalized_path.start_with?("#{forbidden}/")
+          raise ConfigError, "Invalid log path: refusing to write to system directory #{normalized_path}"
+        end
+      end
+
+      # Ensure log directory exists
+      log_dir = File.dirname(normalized_path)
+      FileUtils.mkdir_p(log_dir) unless File.directory?(log_dir)
     end
   end
 end

data/lib/ruborg/passbolt.rb

@@ -30,8 +30,9 @@ module Ruborg
     end
 
     def execute_command(cmd)
-      output = `#{cmd.join(' ')}`
-      [output, $?.success?]
+      require "open3"
+      stdout, stderr, status = Open3.capture3(*cmd)
+      [stdout, status.success?]
     end
 
     def parse_password(json_output)

data/lib/ruborg/repository.rb

@@ -5,9 +5,10 @@ module Ruborg
   class Repository
     attr_reader :path
 
-    def initialize(path, passphrase: nil)
-      @path = path
+    def initialize(path, passphrase: nil, borg_options: {})
+      @path = validate_repo_path(path)
       @passphrase = passphrase
+      @borg_options = borg_options
     end
 
     def exists?
@@ -37,11 +38,32 @@ module Ruborg
 
     private
 
+    def validate_repo_path(path)
+      raise BorgError, "Repository path cannot be empty" if path.nil? || path.empty?
+
+      normalized = File.expand_path(path)
+
+      # Prevent repository creation in critical system directories
+      forbidden = ["/bin", "/sbin", "/usr/bin", "/usr/sbin", "/etc", "/sys", "/proc", "/boot", "/dev"]
+      forbidden.each do |forbidden_path|
+        if normalized == forbidden_path || normalized.start_with?("#{forbidden_path}/")
+          raise BorgError, "Invalid repository path: refusing to use system directory #{normalized}"
+        end
+      end
+
+      normalized
+    end
+
     def execute_borg_command(cmd)
       env = {}
       env["BORG_PASSPHRASE"] = @passphrase if @passphrase
-      env["BORG_RELOCATED_REPO_ACCESS_IS_OK"] = "yes"
-      env["BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK"] = "yes"
+
+      # Apply Borg environment options from config (defaults to yes for backward compatibility)
+      allow_relocated = @borg_options.fetch("allow_relocated_repo", true)
+      allow_unencrypted = @borg_options.fetch("allow_unencrypted_repo", true)
+
+      env["BORG_RELOCATED_REPO_ACCESS_IS_OK"] = allow_relocated ? "yes" : "no"
+      env["BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK"] = allow_unencrypted ? "yes" : "no"
 
       # Redirect stdin from /dev/null to prevent interactive prompts
       result = system(env, *cmd, in: "/dev/null")

data/lib/ruborg/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Ruborg
-  VERSION = "0.3.0"
+  VERSION = "0.3.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruborg
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Michail Pantelelis
@@ -110,6 +110,7 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - exe/ruborg
 - lib/ruborg.rb
 - lib/ruborg/backup.rb