Skip to content

[spark-compete] fix: set restrictive permissions on generated .env files#693

Open
ifeoluwaaj wants to merge 1 commit into
vibeforge1111:masterfrom
ifeoluwaaj:fix/env-file-chmod-600
Open

[spark-compete] fix: set restrictive permissions on generated .env files#693
ifeoluwaaj wants to merge 1 commit into
vibeforge1111:masterfrom
ifeoluwaaj:fix/env-file-chmod-600

Conversation

@ifeoluwaaj
Copy link
Copy Markdown
Contributor

@ifeoluwaaj ifeoluwaaj commented Jun 2, 2026
edited
Loading

spark-compete Packet

{
  "schema": "spark-compete-hotfix-v1",
  "event": "hotfix.submitted",
  "submission_mode": "pull_request",
  "submission_target_url": "https://github.com/vibeforge1111/spark-cli/pull/693",
  "team": {
    "name": "Sequence",
    "members": [
      "ifeoluwaaj",
      "micc9ee",
      "londitshabalala"
    ],
    "device_holder_github": "ifeoluwaaj",
    "device_holder_llm": "ifesn"
  },
  "target_repo": "vibeforge1111/spark-cli",
  "issue": {
    "severity": "MEDIUM",
    "category": "bug",
    "description": "Generated .env files containing secrets are created with default umask permissions, making them world-readable on multi-user systems."
  },
  "evidence": {
    "type": "code_review",
    "files": [],
    "forbidden": [
      "No secrets, tokens, or credentials in code or PR body",
      "No proprietary or confidential information disclosed",
      "No destructive actions performed on production systems"
    ]
  },
  "proposed_fix": {
    "summary": ".env files with secrets should be created with 0o600 permissions (owner read/write only).",
    "files_changed": []
  },
  
    "actual_behavior": "Generated .env files containing secrets are created with default umask permissions, making them world-readable on multi-user systems.",
    "files_expected": ["src/spark_cli/cli.py, src/spark_cli/sandbox/access.py"],
"pr": {
    "url": "https://github.com/vibeforge1111/spark-cli/pull/693",
    "branch": "fix/pr-693"
  },
  "review_claim": {
    "duplicate": false,
    "security_safe": true,
    "public_safe": true
  }
}

Team: Sequence

Bug Summary

Generated .env files containing secrets are created with default umask permissions, making them world-readable on multi-user systems.

Root Cause

Generated .env files containing secrets are created with default umask permissions, making them world-readable on multi-user systems.

Fix

Added os.chmod(path, 0o600) after write_text in write_generated_env() and write_env_file()

Before (The Bug)

Generated .env files containing secrets are created with default umask permissions, making them world-readable on multi-user systems.

After (The Fix)

Fix prevents the issue from occurring.

Testing

Verified: generated .env files now have 0o600 permissions

Before (The Bug)

# See diff for actual code change

After (The Fix)

# See diff for actual code change

Files Changed

src/spark_cli/cli.py, src/spark_cli/sandbox/access.py

Duplicate Notes

No existing PR covers this specific issue. This fix addresses a distinct bug not covered by other submissions.

Risk Notes

Minimal risk - security hardening only. 0o600 is standard for secret files. Existing files retain old permissions until rewritten.

@ifeoluwaaj
fix: set restrictive permissions on generated .env files
c988803 
Root cause: write_generated_env() and write_env_file() create .env files
containing secrets (API keys, tokens) without setting restrictive file
permissions. The files inherit the default umask, which typically allows
world-readable permissions.

Fix: Added os.chmod(path, 0o600) after write_text in both functions to
ensure .env files are only readable by the owner. This prevents other
users on the system from reading sensitive credentials.

Risk notes:
- chmod 0o600 is the standard security practice for secret files
- Both functions already exist and are in use; this is a security hardening
  change only
- os is already imported in both files
- No functional behavior changes beyond file permissions
@ifeoluwaaj ifeoluwaaj requested a review from vibeforge1111 as a code owner June 2, 2026 12:19
@vibeforge1111 vibeforge1111 mentioned this pull request Jun 2, 2026
Merged
3 tasks
@ifeoluwaaj ifeoluwaaj changed the title fix: set restrictive permissions on generated .env files [spark-compete] fix: set restrictive permissions on generated .env files Jun 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vibeforge1111 vibeforge1111 Awaiting requested review from vibeforge1111 vibeforge1111 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ifeoluwaaj