futrther improvements to anonymization

package.json

@@ -78,7 +78,7 @@
     "yazl": "^2.5.1"
   },
   "devDependencies": {
-    "electron": "9.0.2",
+    "electron": "9.0.3",
     "electron-builder": "22.6.0",
     "electron-packager": "14.2.1",
     "electron-rebuild": "1.10.1",

src/services/attributes.js

@@ -115,13 +115,24 @@ function isAttributeType(type) {
 }
 
 function isAttributeDangerous(type, name) {
-    return BUILTIN_ATTRIBUTES.some(attr => 
+    return BUILTIN_ATTRIBUTES.some(attr =>
-        attr.type === attr.type && 
+        attr.type === attr.type &&
         attr.name.toLowerCase() === name.trim().toLowerCase() &&
         attr.isDangerous
     );
 }
 
+function getBuiltinAttributeNames() {
+    return BUILTIN_ATTRIBUTES
+        .map(attr => attr.name)
+        .concat([
+            'internalLink',
+            'imageLink',
+            'includeNoteLink',
+            'relationMapLink'
+        ]);
+}
+
 module.exports = {
     getNotesWithLabel,
     getNotesWithLabels,
@@ -131,5 +142,6 @@ module.exports = {
     createAttribute,
     getAttributeNames,
     isAttributeType,
-    isAttributeDangerous
+    isAttributeDangerous,
-};
+    getBuiltinAttributeNames
+};

src/services/backup.js

@@ -7,7 +7,9 @@ const dataDir = require('./data_dir');
 const log = require('./log');
 const sqlInit = require('./sql_init');
 const syncMutexService = require('./sync_mutex');
+const attributeService = require('./attributes');
 const cls = require('./cls');
+const utils = require('./utils');
 const sqlite = require('sqlite');
 const sqlite3 = require('sqlite3');
 
@@ -98,9 +100,14 @@ async function anonymize() {
     await db.run("UPDATE notes SET title = 'title'");
     await db.run("UPDATE note_contents SET content = 'text' WHERE content IS NOT NULL");
     await db.run("UPDATE note_revisions SET title = 'title'");
-    await db.run("UPDATE note_revision_contents SET content = 'title' WHERE content IS NOT NULL");
+    await db.run("UPDATE note_revision_contents SET content = 'text' WHERE content IS NOT NULL");
-    await db.run("UPDATE attributes SET name = 'name', value = 'value' WHERE type = 'label'");
+
-    await db.run("UPDATE attributes SET name = 'name' WHERE type = 'relation' AND name != 'template'");
+    // we want to delete all non-builtin attributes because they can contain sensitive names and values
+    // on the other hand builtin/system attrs should not contain any sensitive info
+    const builtinAttrs = attributeService.getBuiltinAttributeNames().map(name => "'" + utils.sanitizeSql(name) + "'").join(', ');
+
+    await db.run(`UPDATE attributes SET name = 'name', value = 'value' WHERE type = 'label' AND name NOT IN(${builtinAttrs})`);
+    await db.run(`UPDATE attributes SET name = 'name' WHERE type = 'relation' AND name NOT IN (${builtinAttrs})`);
     await db.run("UPDATE branches SET prefix = 'prefix' WHERE prefix IS NOT NULL");
     await db.run(`UPDATE options SET value = 'anonymized' WHERE name IN 
                     ('documentId', 'documentSecret', 'encryptedDataKey', 'passwordVerificationHash',