Skip to content

[Hackathon] Credential file is not owner-only on Windows (0o600 is a no-op there) #104

Description

@Andy00L

Discord Username / User ID

interferon0

What does this improvement do?

writeCredentialsAtomic sets POSIX mode 0o600 and ensureRestrictiveMode chmods to 0o600 if over-permissive, but on Windows Node's fs mode only toggles the read-only bit, so the API key at %USERPROFILE%.testsprite\credentials is not owner-only and can be readable by other local accounts on a shared/enterprise host. Worse, ensureRestrictiveMode's check reads a synthesized 0o666, calls chmodSync(0o600), "succeeds", and reports nothing, so operators believe the key is protected when it is not. Tighten the ACL on Windows, or at minimum warn.

Details / implementation notes

src/lib/credentials.ts:182-198. On process.platform === 'win32', replace the POSIX chmod with an ACL tightening via icacls "" /inheritance:r /grant:r "%USERNAME%:F" (spawn with an args array, never a shell string, to avoid path injection), OR at minimum emit a one-line stderr warning at write time that file permissions are not enforced on Windows. Do not leave the current silent "chmod succeeded" path. No new dependency. Tests: on win32 the ACL command runs / the warning is emitted; the POSIX path is unchanged. PR to follow once assigned.

Confirmations

  • I have searched existing issues and this is not a duplicate.
  • I have provided my Discord identity above for reward coordination.

Metadata

Metadata

Labels

hackathonCLI hackathon submissionsin-progressAssigned and actively being worked on

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions