Security (Low): harden local credential storage#5
Merged
Conversation
L5: save_to_file() now writes cookies to a sibling .tmp, chmods it 0600, then os.replace()s it into place — no umask race where the file is briefly world-readable. L6: _ensure_dirs() and create() make ~/.tr-api, profiles/, and per-profile dirs with mode=0o700 so cookie file names aren't listable by other users. L7: error strings no longer embed raw upstream response bodies. A new _redact_body() collapses whitespace and hard-truncates to a short snippet; callers still include the status code for debugging. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #4
Local-file hardening for credential/cookie storage. No behavior change to the auth flow.
L5 — atomic 0600 credential/cookie writes (
cookies.py)save_to_file()previously ranjar.save()thenpath.chmod(0o600), leaving a umask-race window where session cookies were briefly world-readable. Now it writes to a sibling.tmp,os.chmod(tmp, 0o600), thenos.replace(tmp, path)— the final file is 0600 from the moment it exists. Matches the atomic pattern gbm-mx-api uses.L6 — 0700 profile dir (
profiles.py)_ensure_dirs()now creates~/.tr-apiandprofiles/withmode=0o700, andcreate()makes each per-profile dir withmode=0o700. Cookie file names are no longer listable by other local users.L7 — redact raw response bodies (
auth.py)Added
_redact_body()(collapses whitespace, hard-truncates to ~120 chars). All error strings that embeddedr.text[:200/300]now route through it, so raw upstream 4xx/5xx bodies are no longer attached to user-facing exceptions. Status codes are still included for debugging.Verified:
python3 -m py_compilepasses on all three files.🤖 Generated with Claude Code