Description
load_api_key_from_auth_file() in src/config/loader.rs:354-382 reads the auth.toml file without checking file permissions. While save_api_key() sets 0o600 on Unix, the file could have been created manually with lax permissions.
Suggested Fix
Add permission check when reading on Unix:
#[cfg(unix)]
{
use std::os::unix::fs::PermissionsExt;
let perms = std::fs::metadata(&path)?.permissions();
if perms.mode() & 0o077 != 0 {
tracing::warn!("auth file has overly permissive permissions");
}
}
Description
load_api_key_from_auth_file()insrc/config/loader.rs:354-382reads the auth.toml file without checking file permissions. Whilesave_api_key()sets 0o600 on Unix, the file could have been created manually with lax permissions.Suggested Fix
Add permission check when reading on Unix: