Kopia Desk performs every file write operation through two safety primitives exported fromDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Pachanga12/Kopia_Desk_Beta_1/llms.txt
Use this file to discover all available pages before exploring further.
lib/core.js. safeName normalises arbitrary strings into valid directory names and manifest keys, while safePath resolves a relative path and enforces that it stays inside the intended backup root — blocking path traversal attacks before a single byte hits the destination drive.
safeName(name)
safeName accepts any value, coerces it to a string, strips characters that are illegal in Windows file names, caps the result at 120 characters, and guarantees a non-empty return value. It is called whenever a source folder name is turned into a manifest key or a destination subdirectory.
Parameters
The value to sanitise. Coerced to a string with
String(name) before any
processing.Return value
The sanitised name. All characters matching
[<>:"/\\|?*\x00-\x1f] are
replaced with _. The result is truncated to 120 characters. If the result
would be an empty string, returns 'carpeta' as the fallback.Implementation
Examples
The tests intest/core.test.js cover the four key cases:
safePath(root, relativePath)
safePath resolves a relative path against a trusted root and throws if the
result would escape that root. It is the last line of defence against path
traversal payloads — ../../Windows/System32, embedded null bytes, and sibling
directories whose names share the root’s prefix are all rejected.
Parameters
The absolute path to the backup root (e.g.
D:\KopiaDesk_Backup). Used as
the anchor; the resolved path must begin with path.resolve(root) + path.sep
or equal path.resolve(root) exactly.A path relative to
root, typically taken from a task list or journal entry
(e.g. Fotos/img.jpg). Must be a non-empty string and must not contain null
bytes (\0).Return value
The resolved absolute path, guaranteed to be inside
root. Suitable for
passing directly to fs.copyFileSync, fs.unlinkSync, or any other file
system operation.Errors thrown
| Condition | Message |
|---|---|
relativePath is falsy or not a string | "Ruta no válida." |
relativePath contains a null byte (\0) | "Ruta contiene caracteres nulos." |
| Resolved path escapes the root | "Ruta fuera del disco destino." |
Implementation
The
normalizedRoot + path.sep suffix check prevents a sibling directory
such as D:\KopiaDesk_Backup2 from passing the startsWith test — a subtle
vulnerability that a plain prefix comparison would miss.Examples
Other exports: detectDriveType and hideFolder
Two additional utilities are exported from lib/core.js that relate to drive and folder management rather than path safety directly:
-
detectDriveType(driveRoot)— Queries PowerShell’sGet-PhysicalDiskcmdlet to determine the media type ("SSD","HDD","Unknown") and bus type ("NVMe","SATA","USB","Unknown") of the drive atdriveRoot. Returns{ mediaType, busType }. Used by thebackup:plan-concurrencyIPC channel to feedpickConcurrency. Falls back to{ mediaType: "Unknown", busType: "Unknown" }if the query fails. -
hideFolder(folderPath)— Applies the Windows+h(hidden) and+s(system) attributes to a folder usingattrib.exe. Returnstrueon success,falseif the folder does not exist or the command fails. Called bymain.jsafter saving a manifest, to keep the.kopia-datametadata directory invisible in Windows Explorer.