i18ntk 4.0.0 → 4.2.0

package/main/i18ntk-backup.js

@@ -57,14 +57,35 @@ function computeFileHash(filePath) {
   }
 }
 
-function computeContentHash(content) {
+function computeContentHash(content) {
   if (typeof content === 'object' && content !== null) {
     const normalized = JSON.stringify(content);
     return crypto.createHash('sha256').update(normalized).digest('hex');
   }
   const str = String(content);
-  return crypto.createHash('sha256').update(str).digest('hex');
-}
+  return crypto.createHash('sha256').update(str).digest('hex');
+}
+
+async function collectJsonFiles(rootDir, currentDir = rootDir) {
+  const entries = await fsp.readdir(currentDir, { withFileTypes: true });
+  const files = [];
+
+  for (const entry of entries) {
+    const fullPath = path.join(currentDir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...await collectJsonFiles(rootDir, fullPath));
+      continue;
+    }
+    if (!entry.isFile() || !entry.name.endsWith('.json')) {
+      continue;
+    }
+
+    const relativePath = path.relative(rootDir, fullPath).split(path.sep).join('/');
+    files.push({ relativePath, fullPath });
+  }
+
+  return files;
+}
 
 async function findMostRecentBackup(backupDirPath) {
   try {
@@ -98,18 +119,24 @@ function getParentHashes(parentData) {
   return hashes;
 }
 
-async function buildRestoreChain(startPath, startData) {
+async function buildRestoreChain(startPath, startData) {
   const chain = [{ path: startPath, data: startData }];
-  let current = startData;
-  let currentPath = startPath;
-
-  while (current._meta && current._meta.parent) {
-    if (chain.length >= 11) {
-      throw new Error('Chain broken: incremental backup chain exceeds the maximum depth of 10');
-    }
-    const parentName = current._meta.parent;
+  const visited = new Set();
+  visited.add(path.basename(startPath));
+  let current = startData;
+  let currentPath = startPath;
+
+  while (current._meta && current._meta.parent) {
+    if (chain.length >= 11) {
+      throw new Error('Chain broken: incremental backup chain exceeds the maximum depth of 10');
+    }
+    const parentName = current._meta.parent;
+    if (visited.has(parentName)) {
+      throw new Error('circular chain reference');
+    }
+    visited.add(parentName);
     const parentDir = path.dirname(currentPath);
-    const parentPath = path.join(parentDir, parentName);
+    const parentPath = path.join(parentDir, parentName);
     if (!SecurityUtils.safeExistsSync(parentPath, parentDir)) {
       throw new Error(`Chain broken: parent backup '${parentName}' not found in ${parentDir}`);
     }
@@ -122,10 +149,106 @@ async function buildRestoreChain(startPath, startData) {
     chain.push({ path: currentPath, data: current });
   }
 
-  chain.reverse();
-  return chain;
-}
-
+  chain.reverse();
+  return chain;
+}
+
+function readBackupData(backupPath, baseDir) {
+  const raw = SecurityUtils.safeReadFileSync(backupPath, baseDir, 'utf8');
+  if (raw === null) {
+    throw new Error(`Unable to read backup: ${path.basename(backupPath)}`);
+  }
+  return JSON.parse(raw);
+}
+
+function validateBackupEntryName(fileName) {
+  if (!fileName || typeof fileName !== 'string') {
+    throw new Error('Invalid backup entry name');
+  }
+  if (fileName === '_meta') {
+    return null;
+  }
+  if (fileName.includes('\0') || /^[a-zA-Z]:/.test(fileName)) {
+    throw new Error(`Unsafe backup entry name: ${fileName}`);
+  }
+
+  const normalizedSeparators = fileName.replace(/\\/g, '/');
+  const rawSegments = normalizedSeparators.split('/');
+  const normalized = path.posix.normalize(normalizedSeparators);
+  const segments = normalized.split('/');
+
+  if (
+    path.posix.isAbsolute(normalizedSeparators) ||
+    rawSegments.some(segment => !segment || segment === '.' || segment === '..') ||
+    normalized === '.' ||
+    normalized === '..' ||
+    normalized.startsWith('../') ||
+    !normalized.endsWith('.json') ||
+    segments.some(segment => !segment || segment === '.' || segment === '..')
+  ) {
+    throw new Error(`Unsafe backup entry name: ${fileName}`);
+  }
+
+  return normalized;
+}
+
+function restoreBackupEntry(outputDir, fileName, content) {
+  const safeName = validateBackupEntryName(fileName);
+  if (!safeName) return false;
+
+  const filePath = SecurityUtils.safeJoin(outputDir, safeName);
+  if (!filePath) {
+    throw new Error(`Backup entry escapes restore directory: ${fileName}`);
+  }
+  if (!SecurityUtils.safeWriteFileSync(filePath, JSON.stringify(content, null, 2), outputDir, 'utf8')) {
+    throw new Error(`Unable to restore backup entry: ${fileName}`);
+  }
+  return true;
+}
+
+function collectProtectedChainNames(backupDirPath, keptFiles) {
+  const protectedNames = new Set();
+  const byName = new Map();
+  for (const file of keptFiles) {
+    byName.set(file.name, file);
+  }
+
+  const queue = [];
+  for (const file of keptFiles) {
+    try {
+      const data = readBackupData(file.path, backupDirPath);
+      if (data._meta && data._meta.parent) {
+        queue.push(data._meta.parent);
+      }
+    } catch {}
+  }
+
+  while (queue.length > 0) {
+    const name = queue.shift();
+    if (protectedNames.has(name)) {
+      continue;
+    }
+    protectedNames.add(name);
+
+    const file = byName.get(name) || {
+      name,
+      path: path.join(backupDirPath, name)
+    };
+    if (!SecurityUtils.safeExistsSync(file.path, backupDirPath)) {
+      continue;
+    }
+
+    try {
+      const data = readBackupData(file.path, backupDirPath);
+      if (data._meta && data._meta.parent) {
+        queue.push(data._meta.parent);
+      }
+    } catch {}
+  }
+
+  return protectedNames;
+}
+
 const configManager = require('../utils/config-manager');
 const { logger } = require('../utils/logger');
 const { colors } = require('../utils/logger');
@@ -210,7 +333,15 @@ async function cleanupOldBackups(backupDirPath) {
       .sort((a, b) => b.time - a.time);
 
     const toDelete = backupFiles.slice(maxBackups);
-    for (const file of toDelete) {
+    const kept = backupFiles.slice(0, maxBackups);
+
+    const protectedChainNames = collectProtectedChainNames(backupDirPath, kept);
+
+    for (const file of toDelete) {
+      if (protectedChainNames.has(file.name)) {
+        logger.info(`  Keeping ${file.name} (parent of a kept incremental backup)`);
+        continue;
+      }
       try {
         await fsp.unlink(file.path);
       } catch (err) {
@@ -230,7 +361,7 @@ async function handleCreate(args) {
   const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
   const backupName = `backup-${timestamp}.json`;
   const backupPath = path.join(outputDir, backupName);
-  const isIncremental = !!args.incremental;
+  const isIncremental = args.incremental !== 'false' && args.incremental !== false;
 
   logger.debug(`Source directory: ${dir}`);
   logger.debug(`Backup will be saved to: ${backupPath}`);
@@ -262,31 +393,29 @@ async function handleCreate(args) {
 
   logger.info('\nCreating backup...');
 
-  const files = (await fsp.readdir(sourceDir, { withFileTypes: true }))
-    .filter(dirent => dirent.isFile() && dirent.name.endsWith('.json'))
-    .map(dirent => dirent.name);
-
-  if (files.length === 0) {
-    logger.warn('No JSON files found in the specified directory');
-    process.exit(0);
-  }
-
-  const translations = {};
-  const hashes = {};
-  for (const file of files) {
-    const filePath = path.join(sourceDir, file);
-    try {
-      const rawContent = SecurityUtils.safeReadFileSync(filePath, path.dirname(filePath), 'utf8');
-      if (rawContent === null) {
-        logger.error(`Could not read file ${file}`);
-        continue;
-      }
-      translations[file] = JSON.parse(rawContent);
-      hashes[file] = computeFileHash(filePath);
-    } catch (error) {
-      logger.error(`Could not read file ${file}: ${error.message}`);
-    }
-  }
+  const files = await collectJsonFiles(sourceDir);
+
+  if (files.length === 0) {
+    logger.warn('No JSON files found in the specified directory');
+    process.exit(0);
+  }
+
+  const translations = {};
+  const hashes = {};
+  for (const file of files) {
+    const filePath = file.fullPath;
+    try {
+      const rawContent = SecurityUtils.safeReadFileSync(filePath, path.dirname(filePath), 'utf8');
+      if (rawContent === null) {
+        logger.error(`Could not read file ${file.relativePath}`);
+        continue;
+      }
+      translations[file.relativePath] = JSON.parse(rawContent);
+      hashes[file.relativePath] = computeFileHash(filePath);
+    } catch (error) {
+      logger.error(`Could not read file ${file.relativePath}: ${error.message}`);
+    }
+  }
 
   let meta = {
     type: 'full',
@@ -372,28 +501,26 @@ async function handleRestore(args) {
       const chain = await buildRestoreChain(backupPath, backupData);
       await fsp.mkdir(outputDir, { recursive: true });
 
-      const restoredFiles = new Set();
-      for (const entry of chain) {
-        for (const [file, content] of Object.entries(entry.data)) {
-          if (file === '_meta') continue;
-          const filePath = path.join(outputDir, file);
-          SecurityUtils.safeWriteFileSync(filePath, JSON.stringify(content, null, 2), path.dirname(filePath), 'utf8');
-          restoredFiles.add(file);
-        }
-      }
+      const restoredFiles = new Set();
+      for (const entry of chain) {
+        for (const [file, content] of Object.entries(entry.data)) {
+          if (restoreBackupEntry(outputDir, file, content)) {
+            restoredFiles.add(file);
+          }
+        }
+      }
 
       logger.success('Incremental backup restored successfully');
       logger.info(`  ${restoredFiles.size} files restored across ${chain.length} backup(s) to: ${outputDir}`);
     } else {
       await fsp.mkdir(outputDir, { recursive: true });
 
-      let count = 0;
-      for (const [file, content] of Object.entries(backupData)) {
-        if (file === '_meta') continue;
-        const filePath = path.join(outputDir, file);
-        SecurityUtils.safeWriteFileSync(filePath, JSON.stringify(content, null, 2), path.dirname(filePath), 'utf8');
-        count++;
-      }
+      let count = 0;
+      for (const [file, content] of Object.entries(backupData)) {
+        if (restoreBackupEntry(outputDir, file, content)) {
+          count++;
+        }
+      }
 
       logger.success('Backup restored successfully');
       logger.info(`  Restored ${count} files to: ${outputDir}`);
@@ -488,32 +615,11 @@ async function handleVerify(args) {
     if (data._meta && data._meta.hashes) {
       logger.info('  Performing hash chain verification...');
 
-      const chain = [{ path: backupPath, data: data }];
-      let current = data;
-      let currentPath = backupPath;
-      while (current._meta && current._meta.parent) {
-        if (chain.length >= 11) {
-          logger.warn('  Chain broken: maximum incremental depth of 10 exceeded');
-          break;
-        }
-        const parentName = current._meta.parent;
-        const parentDir = path.dirname(currentPath);
-        const parentPath = path.join(parentDir, parentName);
-        if (!SecurityUtils.safeExistsSync(parentPath, parentDir)) {
-          logger.warn(`  Chain broken: parent '${parentName}' not found`);
-          break;
-        }
-        const parentRaw = SecurityUtils.safeReadFileSync(parentPath, parentDir, 'utf8');
-        if (parentRaw === null) {
-          logger.warn(`  Chain broken: cannot read parent '${parentName}'`);
-          break;
-        }
-        current = JSON.parse(parentRaw);
-        currentPath = parentPath;
-        chain.push({ path: currentPath, data: current });
-      }
-
+      const chain = await buildRestoreChain(backupPath, data);
+
       let allValid = true;
+
+      // Rebuild full state oldest->newest and verify each manifest against it.
       const reconstructed = {};
       for (const entry of chain) {
         const entryMeta = entry.data._meta;
@@ -526,13 +632,13 @@ async function handleVerify(args) {
 
         if (!entryHashes) {
           logger.warn(`  ${entryName}: no manifest hashes (legacy backup)`);
-          continue;
-        }
+          continue;
+        }
 
         let entryValid = true;
         for (const [file, expectedHash] of Object.entries(entryHashes)) {
           if (!Object.prototype.hasOwnProperty.call(reconstructed, file)) {
-            logger.warn(`    Missing file in manifest: ${file}`);
+            logger.warn(`    Missing file in reconstructed backup state: ${file}`);
             entryValid = false;
             continue;
           }
@@ -542,19 +648,20 @@ async function handleVerify(args) {
             entryValid = false;
           }
         }
+
+        if (entryValid) {
+          logger.success(`  ${entryName}: ${Object.keys(entryHashes).length} file(s) verified`);
+        } else {
+          allValid = false;
+        }
+      }
 
-        if (entryValid) {
-          logger.success(`  ${entryName}: ${Object.keys(entryHashes).length} file(s) verified`);
-        } else {
-          allValid = false;
-        }
-      }
-
-      if (allValid) {
-        logger.success('\nBackup chain verification passed');
-      } else {
-        logger.error('\nBackup chain verification FAILED');
-      }
+      if (allValid) {
+        logger.success('\nBackup chain verification passed');
+      } else {
+        logger.error('\nBackup chain verification FAILED');
+        process.exitCode = 1;
+      }
     } else {
       const fileCount = Object.keys(data).filter(k => k !== '_meta').length;
       logger.success('Backup is valid');
@@ -586,24 +693,33 @@ async function handleCleanup(args) {
     
     // Keep only the most recent 'keep' files
     const toDelete = backupFiles.slice(keep);
+    const kept = backupFiles.slice(0, keep);
     
     if (toDelete.length === 0) {
       logger.info('No old backups to delete.');
       return;
     }
     
-    // Delete old backups
-    for (const file of toDelete) {
-      try {
+    const protectedChainNames = collectProtectedChainNames(backupDir, kept);
+    let deletedCount = 0;
+    
+    // Delete old backups, skipping parents of kept backups
+    for (const file of toDelete) {
+      if (protectedChainNames.has(file.name)) {
+        logger.info(`  Keeping ${file.name} (parent of a kept incremental backup)`);
+        continue;
+      }
+      try {
         await fsp.unlink(file.path);
-        logger.info(`  - Deleted: ${file.name}`);
-      } catch (err) {
-        logger.error(`  - Failed to delete ${file.name}: ${err.message}`);
-      }
-    }
-    
-    logger.info(`\nRemoved ${toDelete.length} old backups`);
-    logger.info(`Total backups kept: ${keep}`);
+        logger.info(`  - Deleted: ${file.name}`);
+        deletedCount++;
+      } catch (err) {
+        logger.error(`  - Failed to delete ${file.name}: ${err.message}`);
+      }
+    }
+    
+    logger.info(`\nRemoved ${deletedCount} old backups`);
+    logger.info(`Total backups kept: ${keep}`);
     
   } catch (error) {
     logger.error('Error cleaning up backups:');