google: write Cloud SQL keyfile_dict credentials with 0600 permissions#67507
Open
potiuk wants to merge 1 commit into
Open
google: write Cloud SQL keyfile_dict credentials with 0600 permissions#67507potiuk wants to merge 1 commit into
potiuk wants to merge 1 commit into
Conversation
When the Google connection supplies credentials via ``keyfile_dict``, ``CloudSqlProxyRunner._get_credential_parameters`` wrote the credentials file with ``open(path, "w")``. That inherits the process umask (typically ``0o644`` on most distributions), leaving the service-account private key world-readable on shared worker hosts — including any other process on the same machine that can read the worker's temp directory. Use ``os.open(..., O_WRONLY | O_CREAT | O_TRUNC, 0o600)`` followed by ``os.fdopen`` so the file is created with restrictive permissions atomically. Matches the explicit-mode handling already used for the SSL temp files in the same module.
boring-cyborg
Bot
added
area:providers
provider:google
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the Google connection supplies credentials via
keyfile_dict,CloudSqlProxyRunner._get_credential_parameterswrites the credentials file withopen(path, "w")atcloud_sql.py:629. That inherits the process umask (typically0o644), leaving the service-account private key world-readable on shared worker hosts — including any other process on the same machine that can read the worker's temp directory.Reported as F-004 in the
apache/tooling-agentsL3 providers/google sweepb1aec75.Change
Use
os.open(..., O_WRONLY | O_CREAT | O_TRUNC, 0o600)followed byos.fdopenso the file is created with restrictive permissions atomically. Matches the explicit-mode handling already used for the SSL temp files in the same module.Test plan
test_credentials_file_from_keyfile_dict_is_chmod_0600— writes credentials via the real code path, readsPath.stat().st_mode, assertsstat.S_IMODE == 0o600.prek run ruffclean on touched files.breeze run mypyclean on the source file.test_cloud_sql_proxy_runner_keeps_key_path_credentials_with_iam_loginstill passes (no behaviour change on thekey_pathbranch).Was generative AI tooling used to co-author this PR?
Generated-by: Claude Code (Opus 4.7) following the guidelines