Skip to content

🔒 Security: Auth file permission not validated on read #72

Description

@ajianaz

Description

load_api_key_from_auth_file() in src/config/loader.rs:354-382 reads the auth.toml file without checking file permissions. While save_api_key() sets 0o600 on Unix, the file could have been created manually with lax permissions.

Suggested Fix

Add permission check when reading on Unix:

#[cfg(unix)]
{
    use std::os::unix::fs::PermissionsExt;
    let perms = std::fs::metadata(&path)?.permissions();
    if perms.mode() & 0o077 != 0 {
        tracing::warn!("auth file has overly permissive permissions");
    }
}

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions