Security Audit — Issue 12 of 15
Severity: Low
File: packages/graph/src/sqlite-store.ts:293-303
Description
copyFileSync copies the database without setting 600 permissions on the backup. The backup file inherits umask defaults, potentially leaving cortex.db.backup world-readable on systems with permissive umask. docs/security.md specifies backups should have 600 permissions.
Verified
✅ Confirmed — copyFileSync() is called without a subsequent chmodSync(0o600).
Suggested Fix
copyFileSync(this.dbPath, backupPath);
chmodSync(backupPath, 0o600);
Source
From a community security review on Reddit:
https://www.reddit.com/r/ClaudeAI/comments/1rm4avi/built_an_mcp_server_that_gives_claude_code_access/
Security Audit — Issue 12 of 15
Severity: Low
File:
packages/graph/src/sqlite-store.ts:293-303Description
copyFileSynccopies the database without setting600permissions on the backup. The backup file inherits umask defaults, potentially leavingcortex.db.backupworld-readable on systems with permissive umask.docs/security.mdspecifies backups should have600permissions.Verified
✅ Confirmed —
copyFileSync()is called without a subsequentchmodSync(0o600).Suggested Fix
Source
From a community security review on Reddit:
https://www.reddit.com/r/ClaudeAI/comments/1rm4avi/built_an_mcp_server_that_gives_claude_code_access/