Fix 29 audit findings across all severity tiers

src/core/backup.rs

@@ -119,16 +119,23 @@ pub fn create_backup(db: &Database, appimage_id: i64) -> Result<PathBuf, BackupE
         "manifest.json".to_string(),
     ];
 
+    let home_dir = dirs::home_dir().unwrap_or_else(|| PathBuf::from("/"));
     for entry in &entries {
         let source = Path::new(&entry.original_path);
         if source.exists() {
-            tar_args.push("-C".to_string());
-            tar_args.push(
-                source.parent().unwrap_or(Path::new("/")).to_string_lossy().to_string(),
-            );
-            tar_args.push(
-                source.file_name().unwrap_or_default().to_string_lossy().to_string(),
-            );
+            if let Ok(rel) = source.strip_prefix(&home_dir) {
+                tar_args.push("-C".to_string());
+                tar_args.push(home_dir.to_string_lossy().to_string());
+                tar_args.push(rel.to_string_lossy().to_string());
+            } else {
+                tar_args.push("-C".to_string());
+                tar_args.push(
+                    source.parent().unwrap_or(Path::new("/")).to_string_lossy().to_string(),
+                );
+                tar_args.push(
+                    source.file_name().unwrap_or_default().to_string_lossy().to_string(),
+                );
+            }
         }
     }
 
@@ -190,12 +197,16 @@ pub fn restore_backup(archive_path: &Path) -> Result<RestoreResult, BackupError>
     // Restore each path
     let mut restored = 0u32;
     let mut skipped = 0u32;
+    let home_dir = dirs::home_dir().unwrap_or_else(|| PathBuf::from("/"));
 
     for entry in &manifest.paths {
-        let source_name = Path::new(&entry.original_path)
-            .file_name()
-            .unwrap_or_default();
-        let extracted = temp_dir.path().join(source_name);
+        let source = Path::new(&entry.original_path);
+        let extracted = if let Ok(rel) = source.strip_prefix(&home_dir) {
+            temp_dir.path().join(rel)
+        } else {
+            let source_name = source.file_name().unwrap_or_default();
+            temp_dir.path().join(source_name)
+        };
         let target = Path::new(&entry.original_path);
 
         if !extracted.exists() {
@@ -269,7 +280,6 @@ pub fn delete_backup(db: &Database, backup_id: i64) -> Result<(), BackupError> {
 }
 
 /// Remove backups older than the specified number of days.
-#[allow(dead_code)]
 pub fn auto_cleanup_old_backups(db: &Database, retention_days: u32) -> Result<u32, BackupError> {
     let backups = db.get_all_config_backups().unwrap_or_default();
     let cutoff = chrono::Utc::now() - chrono::Duration::days(retention_days as i64);
@@ -292,7 +302,6 @@ pub fn auto_cleanup_old_backups(db: &Database, retention_days: u32) -> Result<u3
 #[derive(Debug)]
 pub struct BackupInfo {
     pub id: i64,
-    #[allow(dead_code)]
     pub appimage_id: i64,
     pub app_version: Option<String>,
     pub archive_path: String,
@@ -304,10 +313,8 @@ pub struct BackupInfo {
 
 #[derive(Debug)]
 pub struct RestoreResult {
-    #[allow(dead_code)]
     pub manifest: BackupManifest,
     pub paths_restored: u32,
-    #[allow(dead_code)]
     pub paths_skipped: u32,
 }