v1.2.0

BREAKING CHANGES

• Flag renamed: --commands → --allow-commands for clarity
  • The old confusing help text "Prevent pre-backup/restore commands execution" has been replaced with clear security warning
  • Migration: If you use --commands or SETTINGSSENTRY_COMMANDS=true, update scripts to use --allow-commands
  • Reason: The old flag name was misleading - it actually ENABLES command execution (security risk), not prevents it

Security Improvements

• Enhanced command execution security (SettingsSentry-7tl)

  • Commands are now DISABLED BY DEFAULT for security
  • Added prominent security warnings in help text and README
  • Documented that commands execute with full user privileges
  • Added security tests to verify commands are blocked when flag is false

• Fixed Path Traversal in config file resolution (SettingsSentry-50h)

  • Added path sanitization using filepath.Clean() and filepath.Rel() in ResolveConfigFilePath
  • Validates that resolved paths stay within home directory
  • Prevents attackers from accessing files outside intended directories (e.g., ~/../../etc/passwd)

• Fixed Path Traversal in backup path construction (SettingsSentry-1z3)

  • Added sanitizeConfigName() function to prevent directory traversal in config names
  • Removes path separators and ../ sequences from config names
  • Prevents malicious configs from writing backups outside backup directory

• Fixed Cron Job LookPath security vulnerability (SettingsSentry-b7k)

  • Replaced exec.LookPath() with os.Executable() in cron job installation
  • Prevents PATH manipulation attacks where attacker could substitute malicious binary
  • Uses absolute path of currently running binary instead of searching PATH

• Fixed Goroutine Resource Leak (SettingsSentry-ijc)

  • Added WaitGroup synchronization to ExecuteWithCallback in interfaces/command.go
  • Prevents race conditions between goroutine completion and cmd.Wait()
  • Ensures all stdout/stderr output is captured before function returns

• Reviewed and verified Zip Slip protection (SettingsSentry-bzs)

  • Confirmed existing protection properly validates all extraction paths
  • Uses filepath.Clean() and filepath.Abs() to prevent directory traversal
  • All Zip Slip security tests pass

Features

• Cron job installation now supports --allow-commands flag
  • Use settingssentry install --allow-commands to enable command execution in scheduled backups
  • Commands are disabled by default in cron jobs for security
  • Clear warning displayed when installing with commands enabled
  • Added comprehensive tests for flag functionality

Configuration Files

Added 27 new application configuration files from Mackup database:

• aldente, blesh, claude-code, codex, factory-droid
• github-cli, gmailctl, gnu-stow, kiro, lazydocker
• leiningen, lightpaper, mise, mole, offlineimap
• opencode, opera, plover, rustrover, shadowsocksx-ng
• terraform, things, tidy, vimwiki, windsurf
• yazi, youtube-dl

Development

• Initialized bd (beads) issue tracking for dependency-aware workflow
• Added .claude directory to .gitignore
• Improved test coverage with security-focused test cases

---

Full Changelog: https://github.com/sstraus/SettingsSentry/blob/main/CHANGELOG.md

SettingsSentry v1.1.8

Enhanced testing, security, and code quality improvements.

Security Fixes

• Fixed Zip Slip vulnerability (CVE) in zip extraction - prevents directory traversal attacks
• Updated golang.org/x/crypto to v0.45.0 (fixes SSH memory consumption and panic vulnerabilities)

New Features

• Added make act-test - run GitHub Actions CI tests locally
• Added make act-lint - run linter locally with GitHub Actions
• Added comprehensive CLI tests (803 lines of new tests)
• Added backup operations test suite (1,640 lines of tests)

Improvements

• Improved test coverage to 65.5% across core packages
• Fixed all 33 golangci-lint issues (errcheck violations)
• Fixed shell compatibility issues (bash vs sh)
• Refactored main package for better testability
• Separated backup operations into dedicated module
• Added .actrc configuration for local CI testing

SettingsSentry v1.1.7

The tool has reached maturity.

New features:

• Versioned backups with timestamp-based directories.
• Dry-run mode to preview operations without making changes.
• Self-contained config files (you can extract them to customize)
• Optional ZIP archive backup format (-zip flag).
• Optional password-based encryption (-password flag).

v1.1.6

Restore command has been improved.
Run commands are an optional behavior, not the standard anymore.
Configs are now embedded for better portability.

Full Changelog: v.1.1.5...v1.1.6

SettingsSentry v1.1.5

• Full refactor
• Added tests
• many new features

SettingsSentry v1.1.4

• Fixed an issue with the 'configs' path when the executable is called from a different working directory

Full Changelog: v1.1.3...v1.1.4

SettingsSentry v1.1.3

• Fix cron job setup

Full Changelog: v1.1.2...v1.1.3

SettingsSentry v1.1.2

Full Changelog: v1.1.1...v1.1.2

• better output
• better documentation
• new -nocommands option to prevent pre-backup/restore commands execution

SettingsSentry v1.1.1

• Fix parameter issue with install command

SettingsSentry v1.1

• Added a custom CRON schedule parameter to set a specific time and date for the execution instead of the reboot parameter

Full Changelog: v1.0...v1.1