Skip to content

fix: tighten file permissions for config writes#1021

Merged
Soner (shyim) merged 1 commit into
nextfrom
fix/config-file-permissions
May 18, 2026
Merged

fix: tighten file permissions for config writes#1021
Soner (shyim) merged 1 commit into
nextfrom
fix/config-file-permissions

Conversation

@shyim

Copy link
Copy Markdown
Member

Summary

  • .shopware-project.local.yml contains secrets (Blackfire/Tideways API keys) — write with 0o600 so it isn't world-readable.
  • .shopware-project.yml and compose.yaml now use 0o644 instead of os.ModePerm (0o777).

os.ModePerm is 0o777 (world-writable, executable bits set), which is the wrong default for config files. Linters like gosec flag it as G306.

This addresses item #1 in the post-merge review of next. Remaining os.ModePerm call sites across the codebase are tracked in #1020.

Test plan

  • go build ./...
  • go test ./internal/shop/... ./internal/docker/...
  • Verify generated .shopware-project.local.yml has mode -rw------- after shopware-cli project create with a profiler enabled

.shopware-project.local.yml contains secrets (Blackfire/Tideways API
keys), so write it with 0o600. Regular config files (.shopware-project.yml,
compose.yaml) use 0o644 instead of os.ModePerm (0o777).

Refs #1020
@shyim Soner (shyim) merged commit 9e45eae into next May 18, 2026
2 checks passed
@shyim Soner (shyim) deleted the fix/config-file-permissions branch May 18, 2026 02:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant