chore: root commit of OWSAP security testing/tightening

scripts/backup.sh

@@ -19,7 +19,11 @@ mkdir -p "$OUT_DIR"
 
 STAMP="$(date +%F_%H%M%S)"
 OUT_FILE="${OUT_DIR}/skymoney_${STAMP}.dump"
+OUT_BASENAME="$(basename "$OUT_FILE")"
+OUT_DIR_ABS="$(cd "$OUT_DIR" && pwd)"
 
 pg_dump "${BACKUP_DATABASE_URL:-$DATABASE_URL}" -Fc -f "$OUT_FILE"
+(cd "$OUT_DIR_ABS" && sha256sum "$OUT_BASENAME" > "${OUT_BASENAME}.sha256")
 
 echo "Backup written to: $OUT_FILE"
+echo "Checksum written to: ${OUT_FILE}.sha256"

scripts/restore.sh

@@ -13,6 +13,26 @@ if [[ -z "${BACKUP_FILE:-}" ]]; then
   echo "BACKUP_FILE is required."
   exit 1
 fi
+if [[ ! -f "$BACKUP_FILE" ]]; then
+  echo "BACKUP_FILE does not exist: $BACKUP_FILE"
+  exit 1
+fi
+
+CHECKSUM_FILE="${BACKUP_FILE}.sha256"
+if [[ ! -f "$CHECKSUM_FILE" ]]; then
+  echo "Missing checksum file: ${CHECKSUM_FILE}"
+  exit 1
+fi
+EXPECTED_HASH="$(awk '{print $1; exit}' "$CHECKSUM_FILE")"
+if [[ ! "$EXPECTED_HASH" =~ ^[A-Fa-f0-9]{64}$ ]]; then
+  echo "Invalid checksum format in: ${CHECKSUM_FILE}"
+  exit 1
+fi
+ACTUAL_HASH="$(sha256sum "$BACKUP_FILE" | awk '{print $1}')"
+if [[ "$ACTUAL_HASH" != "$EXPECTED_HASH" ]]; then
+  echo "Backup checksum verification failed for: ${BACKUP_FILE}"
+  exit 1
+fi
 
 if [[ -z "${DATABASE_URL:-}" ]]; then
   echo "DATABASE_URL is required."
@@ -23,6 +43,11 @@ RESTORE_DB="${RESTORE_DB:-skymoney_restore_test}"
 RESTORE_URL="${RESTORE_DATABASE_URL:-}"
 ADMIN_URL="${ADMIN_DATABASE_URL:-$DATABASE_URL}"
 
+if [[ ! "$RESTORE_DB" =~ ^[A-Za-z0-9_]+$ ]]; then
+  echo "RESTORE_DB must match ^[A-Za-z0-9_]+$"
+  exit 1
+fi
+
 if [[ -z "$RESTORE_URL" ]]; then
   echo "RESTORE_DATABASE_URL is required (example: postgresql://user:pass@host:5432/${RESTORE_DB})."
   exit 1