v0.12.1

Changelog for rest-server 0.12.1 (2023-07-09)

The following sections list the changes in rest-server 0.12.1 relevant to users. The changes are ordered by importance.

Summary

• Fix #230: Fix erroneous warnings about unsupported fsync
• Fix #238: API: Return empty array when listing empty folders
• Enh #217: Log to stdout using the --log - option

Details

• Bugfix #230: Fix erroneous warnings about unsupported fsync

  Due to a regression in rest-server 0.12.0, it continuously printed WARNING: fsync is not supported by the data storage. This can lead to data loss, if the system crashes or the storage is unexpectedly disconnected. for systems that support fsync. We have fixed the warning.

  #230 #231

• Bugfix #238: API: Return empty array when listing empty folders

  Rest-server returned null when listing an empty folder. This has been changed to returning an empty array in accordance with the REST protocol specification. This change has no impact on restic users.

  #238 #239

• Enhancement #217: Log to stdout using the --log - option

  Logging to stdout was possible using --log /dev/stdout. However, when the rest server is run as a different user, for example, using

  sudo -u restic rest-server [...] --log /dev/stdout

  This did not work due to permission issues.

  For logging to stdout, the --log option now supports the special filename - which also works in these cases.

  #217

v0.12.0

Changelog for rest-server 0.12.0 (2023-04-24)

The following sections list the changes in rest-server 0.12.0 relevant to users. The changes are ordered by importance.

Summary

• Fix #183: Allow usernames containing underscore and more
• Fix #219: Ignore unexpected files in the data/ folder
• Fix #1871: Return 500 "Internal server error" if files cannot be read
• Chg #207: Return error if command-line arguments are specified
• Chg #208: Update dependencies and require Go 1.17 or newer
• Enh #133: Cache basic authentication credentials
• Enh #187: Allow configurable location for .htpasswd file

Details

• Bugfix #183: Allow usernames containing underscore and more

  The security fix in rest-server 0.11.0 (#131) disallowed usernames containing and underscore "". The list of allowed characters has now been changed to include Unicode characters, numbers, "", "-", "." and "@".

  #183 #184

• Bugfix #219: Ignore unexpected files in the data/ folder

  If the data folder of a repository contained files, this would prevent restic from retrieving a list of file data files. This has been fixed. As a workaround remove the files that are directly contained in the data folder (e.g., .DS_Store files).

  #219 #221

• Bugfix #1871: Return 500 "Internal server error" if files cannot be read

  When files in a repository cannot be read by rest-server, for example after running restic prune directly on the server hosting the repositories in a way that causes filesystem permissions to be wrong, rest-server previously returned 404 "Not Found" as status code. This was causing confusing for users.

  The error handling has now been fixed to only return 404 "Not Found" if the file actually does not exist. Otherwise a 500 "Internal server error" is reported to the client and the underlying error is logged at the server side.

  #1871 #195

• Change #207: Return error if command-line arguments are specified

  Command line arguments are ignored by rest-server, but there was previously no indication of this when they were supplied anyway.

  To prevent usage errors an error is now printed when command line arguments are supplied, instead of them being silently ignored.

  #207

• Change #208: Update dependencies and require Go 1.17 or newer

  Most dependencies have been updated. Since some libraries require newer language features, support for Go 1.15-1.16 has been dropped, which means that rest-server now requires at least Go 1.17 to build.

  #208

• Enhancement #133: Cache basic authentication credentials

  To speed up the verification of basic auth credentials, rest-server now caches passwords for a minute in memory. That way the expensive verification of basic auth credentials can be skipped for most requests issued by a single restic run. The password is kept in memory in a hashed form and not as plaintext.

  #133 #138

• Enhancement #187: Allow configurable location for .htpasswd file

  It is now possible to specify the location of the .htpasswd file using the --htpasswd-file option.

  #187 #188

v0.11.0

Changelog for rest-server 0.11.0 (2022-02-10)

The following sections list the changes in rest-server 0.11.0 relevant to users. The changes are ordered by importance.

Summary

• Sec #131: Prevent loading of usernames containing a slash
• Fix #119: Fix Docker configuration for DISABLE_AUTHENTICATION
• Fix #142: Fix possible data loss due to interrupted network connections
• Fix #157: Use platform-specific temporary directory as default data directory
• Fix #155: Reply "insufficient storage" on disk full or over-quota
• Chg #146: Build rest-server at docker container build time
• Chg #112: Add subrepo support and refactor server code
• Enh #122: Verify uploaded files
• Enh #126: Allow running rest-server via systemd socket activation
• Enh #148: Expand use of security features in example systemd unit file

Details

• Security #131: Prevent loading of usernames containing a slash

  "/" is valid char in HTTP authorization headers, but is also used in rest-server to map usernames to private repos.

  This commit prevents loading maliciously composed usernames like "/foo/config" by restricting the allowed characters to the unicode character class, numbers, "-", "." and "@".

  This prevents requests to other users files like:

  Curl -v -X DELETE -u foo/config:attack http://localhost:8000/foo/config

  #131 #132 #137

• Bugfix #119: Fix Docker configuration for DISABLE_AUTHENTICATION

  Rest-server 0.10.0 introduced a regression which caused the DISABLE_AUTHENTICATION environment variable to stop working for the Docker container. This has been fixed by automatically setting the option --no-auth to disable authentication.

  #119 #124

• Bugfix #142: Fix possible data loss due to interrupted network connections

  When rest-server was run without --append-only it was possible to lose uploaded files in a specific scenario in which a network connection was interrupted.

  For the data loss to occur a file upload by restic would have to be interrupted such that restic notices the interrupted network connection before the rest-server. Then restic would have to retry the file upload and finish it before the rest-server notices that the initial upload has failed. Then the uploaded file would be accidentally removed by rest-server when trying to cleanup the failed upload.

  This has been fixed by always uploading to a temporary file first which is moved in position only once it was uploaded completely.

  #142

• Bugfix #157: Use platform-specific temporary directory as default data directory

  If no data directory is specificed, then rest-server now uses the Go standard library functions to retrieve the standard temporary directory path for the current platform.

  #157 #158

• Bugfix #155: Reply "insufficient storage" on disk full or over-quota

  When there was no space left on disk, or any other write-related error occurred, rest-server replied with HTTP status code 400 (Bad request). This is misleading (restic client will dump the status code to the user).

  Rest-server now replies with two different status codes in these situations: * HTTP 507 "Insufficient storage" is the status on disk full or repository over-quota * HTTP 500 "Internal server error" is used for other disk-related errors

  #155 #160

• Change #146: Build rest-server at docker container build time

  The Dockerfile now includes a build stage such that the latest rest-server is always built and packaged. This is done in a standard golang container to ensure a clean build environment and only the final binary is shipped rather than the whole build environment.

  #146 #145

• Change #112: Add subrepo support and refactor server code

  Support for multi-level repositories has been added, so now each user can have its own subrepositories. This feature is always enabled.

  Authentication for the Prometheus /metrics endpoint can now be disabled with the new --prometheus-no-auth flag.

  We have split out all HTTP handling to a separate repo subpackage to cleanly separate the server code from the code that handles a single repository. The new RepoHandler also makes it easier to reuse rest-server as a Go component in any other HTTP server.

  The refactoring makes the code significantly easier to follow and understand, which in turn makes it easier to add new features, audit for security and debug issues.

  #109 #107 #112

• Enhancement #122: Verify uploaded files

  The rest-server now by default verifies that the hash of content of uploaded files matches their filename. This ensures that transmission errors are detected and forces restic to retry the upload. On low-power devices it can make sense to disable this check by passing the --no-verify-upload flag.

  #122 #130

• Enhancement #126: Allow running rest-server via systemd socket activation

  We've added the option to have systemd create the listening socket and start the rest-server on demand.

  #126 #151 #127

• Enhancement #148: Expand use of security features in example systemd unit file

  The example systemd unit file now enables additional systemd features to mitigate potential security vulnerabilities in rest-server and the various packages and operating system components which it relies upon.

  #148 #149

v0.10.0

Changelog for rest-server 0.10.0 (2020-09-13)

The following sections list the changes in rest-server 0.10.0 relevant to users. The changes are ordered by importance.

Summary

• Sec #117: Stricter path sanitization
• Sec #60: Require auth by default, add --no-auth flag
• Sec #64: Refuse overwriting config file in append-only mode
• Chg #102: Remove vendored dependencies
• Enh #44: Add changelog file

Details

• Security #117: Stricter path sanitization

  The framework we're using in rest-server to decode paths to repositories allowed specifying URL-encoded characters in paths, including sensitive characters such as / (encoded as %2F).

  We've changed this unintended behavior, such that rest-server now rejects such paths. In particular, it is no longer possible to specify sub-repositories for users by encoding the path with %2F, such as http://localhost:8000/foo%2Fbar, which means that this will unfortunately be a breaking change in that case.

  If using sub-repositories for users is important to you, please let us know in the forum, so we can learn about your use case and implement this properly. As it currently stands, the ability to use sub-repositories was an unintentional feature made possible by the URL decoding framework used, and hence never meant to be supported in the first place. If we wish to have this feature in rest-server, we'd like to have it implemented properly and intentionally.

  #117

• Security #60: Require auth by default, add --no-auth flag

  In order to prevent users from accidentally exposing rest-server without authentication, rest-server now defaults to requiring a .htpasswd. If you want to disable authentication, you need to explicitly pass the new --no-auth flag.

  #60 #61

• Security #64: Refuse overwriting config file in append-only mode

  While working on the rclone serve restic command we noticed that is currently possible to overwrite the config file in a repo even if --append-only is specified. The first commit adds proper tests, and the second commit fixes the issue.

  #64

• Change #102: Remove vendored dependencies

  We've removed the vendored dependencies (in the subdir vendor/) similar to what we did for restic itself. When building restic, the Go compiler automatically fetches the dependencies. It will also cryptographically verify that the correct code has been fetched by using the hashes in go.sum (see the link to the documentation below).

  Building the rest-server now requires Go 1.11 or newer, since we're using Go Modules for dependency management. Older Go versions are not supported any more.

  #102 https://golang.org/cmd/go/#hdr-Module_downloading_and_verification

• Enhancement #44: Add changelog file

  #44 #62

Docker images

• docker pull restic/rest-server:latest
• docker pull restic/rest-server:0.10.0

rest-server 0.9.7

This release features:

• private repositories, by @Mebus & @wojas
• support for bcrypt method in htpasswd, by @qbit
• API protocol v2 (read: faster prunes)

The binaries for this release have been built with Go 1.10.

rest-server 0.9.6

This release features:

• automatic htpasswd reload, by @wojas
• Prometheus metrics, by @wojas
• options to specify TLS certificate and key, by @n0npax
• an assortment of small fixes and improvements

We're (still) getting ready for 1.0.0 release!

The binaries for this release have been built with Go 1.9.2.

rest-server 0.9.5

This release features:

• append only mode, by @r3dey3
• improved Docker container, now you can pass options to it (tnx @cgonzalez )
  • from this release Docker container default port is also 8000!
• included Makefile, now preferred way to build everything (binary, container...)

We're getting ready for 1.0.0 release!

The binaries for this release have been built with Go 1.9.1.

rest-server 0.9.4

This release contains various fixes, most importantly for a directory traversal security issue, so everybody should upgrade soon!

Also, from now on dep Go dependency management tool will be used to manage dependencies.

The binaries for this release have been built with Go 1.8.3.

rest-server 0.9.3

Thanks to @mholt work, rest-server can now be used as a library. So, you can easily make plugin for other software like caddy, for example.

Also, thanks to @bclermont work, we now have a Dockerfile, useful to build Docker image of rest-server.

Due to some improvements in build.go, we should now have reproducible builds of rest-server.

rest-server 0.9.2

This is the first public release of rest-server.