fix(security): restrict temp file permissions and validate memory_limit

- chmod 0600 on CreateTemp files in restore, delete, and duckdb profiling
  to prevent world-readable parquet data and profile output (closes #362)
- validate memory_limit with regex before SQL interpolation in compaction
  subprocess to prevent injection via config (closes #363)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Ignacio Van Droogenbroeck

internal/api/delete.go

@@ -623,6 +623,11 @@ func (h *DeleteHandler) rewriteS3File(ctx context.Context, s3Path, relativePath,
 	if err != nil {
 		return 0, fmt.Errorf("failed to create temp file: %w", err)
 	}
+	if err := os.Chmod(tempFile.Name(), 0600); err != nil {
+		tempFile.Close()
+		os.Remove(tempFile.Name())
+		return 0, fmt.Errorf("failed to secure temp file: %w", err)
+	}
 	tempPath := tempFile.Name()
 	tempFile.Close()
 	defer os.Remove(tempPath)

internal/backup/restore.go

@@ -146,6 +146,11 @@ func (m *Manager) streamRestoreFile(ctx context.Context, srcPath, destPath strin
 	if err != nil {
 		return 0, fmt.Errorf("failed to create temp file: %w", err)
 	}
+	if err := os.Chmod(tmpFile.Name(), 0600); err != nil {
+		tmpFile.Close()
+		os.Remove(tmpFile.Name())
+		return 0, fmt.Errorf("failed to secure temp file: %w", err)
+	}
 	tmpPath := tmpFile.Name()
 	defer os.Remove(tmpPath)
 	defer tmpFile.Close()

internal/compaction/subprocess.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 	"os/signal"
+	"regexp"
 	"runtime"
 	"runtime/pprof"
 	"strings"
@@ -21,6 +22,8 @@ import (
 	_ "github.com/duckdb/duckdb-go/v2"
 )
 
+var memLimitRe = regexp.MustCompile(`^\d+(\.\d+)?\s*(B|KB|MB|GB|TB|%)?$`)
+
 // SubprocessJobConfig is the serializable configuration passed to the subprocess.
 // It contains all information needed to run a compaction job in isolation.
 type SubprocessJobConfig struct {
@@ -90,6 +93,9 @@ func RunSubprocessJob(config *SubprocessJobConfig) (*SubprocessJobResult, error)
 	// Set DuckDB memory limit from config.
 	// This prevents OOM on servers without swap by forcing DuckDB to spill to disk.
 	if config.MemoryLimit != "" {
+		if !memLimitRe.MatchString(config.MemoryLimit) {
+			return nil, fmt.Errorf("invalid memory_limit value: %q", config.MemoryLimit)
+		}
 		if _, err := db.Exec(fmt.Sprintf("SET memory_limit='%s'", config.MemoryLimit)); err != nil {
 			logger.Warn().Err(err).Str("limit", config.MemoryLimit).Msg("Failed to set DuckDB memory limit")
 		} else {

internal/database/duckdb.go

@@ -560,6 +560,17 @@ func (d *DuckDB) QueryWithProfileContext(ctx context.Context, query string) (*sq
 		}
 		return rows, conn, nil, nil
 	}
+	if err := os.Chmod(tmpFile.Name(), 0600); err != nil {
+		tmpFile.Close()
+		os.Remove(tmpFile.Name())
+		// Fall back to regular query
+		rows, err := conn.QueryContext(ctx, query)
+		if err != nil {
+			conn.Close()
+			return nil, nil, nil, err
+		}
+		return rows, conn, nil, nil
+	}
 	profilePath := tmpFile.Name()
 	tmpFile.Close()
 	defer os.Remove(profilePath)