fix(orchestrator): validate prepared archive paths before decrypt/copy

tis24dev · tis24dev · commit e752f47a8c4a · 2026-03-11T16:33:07.000+01:00
Validate the staged archive path against the manifest encryption mode in
preparePlainBundleCommon before deriving the plain archive output path.

This rejects inconsistent inputs where `EncryptionMode=age` does not have
a `.age` archive suffix, or where a non-age archive still ends with
`.age`. It also ensures decryption never runs with identical input and
output paths by generating a unique output name when needed.

Add regression coverage for both mode/suffix mismatch cases and the
unique-path fallback for age archives.
diff --git a/internal/orchestrator/decrypt_prepare_common.go b/internal/orchestrator/decrypt_prepare_common.go
@@ -12,6 +12,56 @@ import (
 
 type archiveDecryptFunc func(ctx context.Context, encryptedPath, outputPath, displayName string) error
 
+func createUniquePreparedArchivePath(workDir, baseName string) (string, error) {
+	pattern := strings.TrimSpace(baseName)
+	if pattern == "" {
+		pattern = "archive"
+	}
+	tempFile, err := restoreFS.CreateTemp(workDir, pattern+".decrypted-*")
+	if err != nil {
+		return "", fmt.Errorf("create archive output path: %w", err)
+	}
+	path := tempFile.Name()
+	if err := tempFile.Close(); err != nil {
+		return "", fmt.Errorf("close archive output path: %w", err)
+	}
+	return path, nil
+}
+
+func resolvePreparedArchivePath(workDir, stagedArchivePath, currentEncryption string) (string, error) {
+	archiveBase := filepath.Base(stagedArchivePath)
+	if archiveBase == "." || archiveBase == string(filepath.Separator) || strings.TrimSpace(archiveBase) == "" {
+		return "", fmt.Errorf("invalid staged archive path %s", stagedArchivePath)
+	}
+
+	if currentEncryption == "age" {
+		if !strings.HasSuffix(archiveBase, ".age") {
+			return "", fmt.Errorf("encrypted archive %s is missing .age suffix", stagedArchivePath)
+		}
+
+		plainArchiveName := strings.TrimSuffix(archiveBase, ".age")
+		if strings.TrimSpace(plainArchiveName) == "" {
+			return createUniquePreparedArchivePath(workDir, archiveBase)
+		}
+
+		plainArchivePath := filepath.Join(workDir, plainArchiveName)
+		if plainArchivePath == stagedArchivePath {
+			return createUniquePreparedArchivePath(workDir, plainArchiveName)
+		}
+		return plainArchivePath, nil
+	}
+
+	if strings.HasSuffix(archiveBase, ".age") {
+		mode := currentEncryption
+		if mode == "" {
+			mode = "plain"
+		}
+		return "", fmt.Errorf("archive %s has .age suffix but encryption mode is %s", stagedArchivePath, mode)
+	}
+
+	return filepath.Join(workDir, archiveBase), nil
+}
+
 func preparePlainBundleCommon(ctx context.Context, cand *decryptCandidate, version string, logger *logging.Logger, decryptArchive archiveDecryptFunc) (bundle *preparedBundle, err error) {
 	if cand == nil || cand.Manifest == nil {
 		return nil, fmt.Errorf("invalid backup candidate")
@@ -80,8 +130,11 @@ func preparePlainBundleCommon(ctx context.Context, cand *decryptCandidate, versi
 	currentEncryption := strings.ToLower(strings.TrimSpace(manifestCopy.EncryptionMode))
 	logger.Info("Preparing archive %s for decryption (mode: %s)", manifestCopy.ArchivePath, statusFromManifest(&manifestCopy))
 
-	plainArchiveName := strings.TrimSuffix(filepath.Base(staged.ArchivePath), ".age")
-	plainArchivePath := filepath.Join(workDir, plainArchiveName)
+	plainArchivePath, err := resolvePreparedArchivePath(workDir, staged.ArchivePath, currentEncryption)
+	if err != nil {
+		cleanup()
+		return nil, err
+	}
 
 	if currentEncryption == "age" {
 		if decryptArchive == nil {
diff --git a/internal/orchestrator/decrypt_test.go b/internal/orchestrator/decrypt_test.go
@@ -3006,6 +3006,130 @@ func TestPreparePlainBundleCommon_TrimmedAgeEncryptionTriggersDecrypt(t *testing
 	}
 }
 
+func TestPreparePlainBundleCommon_AgeModeRequiresAgeSuffix(t *testing.T) {
+	origFS := restoreFS
+	restoreFS = osFS{}
+	t.Cleanup(func() { restoreFS = origFS })
+
+	dir := t.TempDir()
+	workArchive := filepath.Join(dir, "backup.tar.xz")
+	if err := os.WriteFile(workArchive, []byte("ciphertext"), 0o600); err != nil {
+		t.Fatalf("write archive: %v", err)
+	}
+	manifestPath := filepath.Join(dir, "backup.metadata")
+	if err := os.WriteFile(manifestPath, []byte(`{"encryption_mode":"age"}`), 0o600); err != nil {
+		t.Fatalf("write manifest: %v", err)
+	}
+	checksumPath := filepath.Join(dir, "backup.sha256")
+	checksumLine := checksumLineForBytes(filepath.Base(workArchive), []byte("ciphertext"))
+	if err := os.WriteFile(checksumPath, []byte(checksumLine), 0o600); err != nil {
+		t.Fatalf("write checksum: %v", err)
+	}
+
+	cand := &decryptCandidate{
+		Manifest: &backup.Manifest{
+			ArchivePath:    workArchive,
+			EncryptionMode: "age",
+		},
+		Source:          sourceRaw,
+		RawArchivePath:  workArchive,
+		RawMetadataPath: manifestPath,
+		RawChecksumPath: checksumPath,
+		DisplayBase:     "backup.tar.xz",
+	}
+
+	logger := logging.New(types.LogLevelError, false)
+	logger.SetOutput(io.Discard)
+
+	decryptCalled := false
+	_, err := preparePlainBundleCommon(context.Background(), cand, "1.0.0", logger, func(ctx context.Context, encryptedPath, outputPath, displayName string) error {
+		decryptCalled = true
+		return nil
+	})
+	if err == nil {
+		t.Fatal("preparePlainBundleCommon error = nil; want missing .age suffix error")
+	}
+	if !strings.Contains(err.Error(), "missing .age suffix") {
+		t.Fatalf("preparePlainBundleCommon error = %v; want missing .age suffix error", err)
+	}
+	if decryptCalled {
+		t.Fatal("decrypt callback was called for archive without .age suffix")
+	}
+}
+
+func TestPreparePlainBundleCommon_NonAgeRejectsAgeSuffix(t *testing.T) {
+	origFS := restoreFS
+	restoreFS = osFS{}
+	t.Cleanup(func() { restoreFS = origFS })
+
+	dir := t.TempDir()
+	workArchive := filepath.Join(dir, "backup.tar.xz.age")
+	if err := os.WriteFile(workArchive, []byte("ciphertext"), 0o600); err != nil {
+		t.Fatalf("write archive: %v", err)
+	}
+	manifestPath := filepath.Join(dir, "backup.metadata")
+	if err := os.WriteFile(manifestPath, []byte(`{"encryption_mode":"none"}`), 0o600); err != nil {
+		t.Fatalf("write manifest: %v", err)
+	}
+	checksumPath := filepath.Join(dir, "backup.sha256")
+	checksumLine := checksumLineForBytes(filepath.Base(workArchive), []byte("ciphertext"))
+	if err := os.WriteFile(checksumPath, []byte(checksumLine), 0o600); err != nil {
+		t.Fatalf("write checksum: %v", err)
+	}
+
+	cand := &decryptCandidate{
+		Manifest: &backup.Manifest{
+			ArchivePath:    workArchive,
+			EncryptionMode: "none",
+		},
+		Source:          sourceRaw,
+		RawArchivePath:  workArchive,
+		RawMetadataPath: manifestPath,
+		RawChecksumPath: checksumPath,
+		DisplayBase:     "backup.tar.xz.age",
+	}
+
+	logger := logging.New(types.LogLevelError, false)
+	logger.SetOutput(io.Discard)
+
+	_, err := preparePlainBundleCommon(context.Background(), cand, "1.0.0", logger, func(ctx context.Context, encryptedPath, outputPath, displayName string) error {
+		t.Fatal("decrypt callback should not be called for non-age archive handling")
+		return nil
+	})
+	if err == nil {
+		t.Fatal("preparePlainBundleCommon error = nil; want .age suffix mismatch error")
+	}
+	if !strings.Contains(err.Error(), "has .age suffix but encryption mode is none") {
+		t.Fatalf("preparePlainBundleCommon error = %v; want .age suffix mismatch error", err)
+	}
+}
+
+func TestResolvePreparedArchivePath_AgeFallbackUsesUniqueOutput(t *testing.T) {
+	origFS := restoreFS
+	restoreFS = osFS{}
+	t.Cleanup(func() { restoreFS = origFS })
+
+	workDir := t.TempDir()
+	stagedArchivePath := filepath.Join(workDir, ".age")
+
+	got, err := resolvePreparedArchivePath(workDir, stagedArchivePath, "age")
+	if err != nil {
+		t.Fatalf("resolvePreparedArchivePath error: %v", err)
+	}
+	if got == stagedArchivePath {
+		t.Fatalf("resolvePreparedArchivePath() = %q; want unique output path", got)
+	}
+	if got == workDir {
+		t.Fatalf("resolvePreparedArchivePath() = %q; want file path inside workdir", got)
+	}
+	if filepath.Dir(got) != workDir {
+		t.Fatalf("resolvePreparedArchivePath() dir = %q; want %q", filepath.Dir(got), workDir)
+	}
+	if !strings.HasPrefix(filepath.Base(got), ".age.decrypted-") {
+		t.Fatalf("resolvePreparedArchivePath() base = %q; want .age.decrypted-*", filepath.Base(got))
+	}
+}
+
 // =====================================
 // extractBundleToWorkdirWithLogger coverage tests
 // =====================================
