Skip to content

fix: restrict config file permissions to owner only#72

Merged
pchuri merged 2 commits intopchuri:mainfrom
tokuhirom:fix/config-file-permissions
Mar 11, 2026
Merged

fix: restrict config file permissions to owner only#72
pchuri merged 2 commits intopchuri:mainfrom
tokuhirom:fix/config-file-permissions

Conversation

@tokuhirom
Copy link
Contributor

@tokuhirom tokuhirom commented Mar 10, 2026

Description

Set config directory to 0o700 and config file to 0o600 to prevent other users from reading stored API tokens in multi-user environments.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Performance improvement
  • Code refactoring

Testing

  • Tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • Any dependent changes have been merged and published in downstream modules

Screenshots (if applicable)

Additional Context

@tokuhirom
fix: restrict config file permissions to owner only
3f20a91 
Set config directory to 0o700 and config file to 0o600 to prevent
other users from reading stored API tokens in multi-user environments.
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 10, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3f20a919d9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

lib/config.js
fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
}
fs.writeFileSync(CONFIG_FILE, JSON.stringify(data, null, 2));
fs.writeFileSync(CONFIG_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Tighten permissions on existing config files

This call only enforces 0o600 when config.json is newly created; if the file already exists (the common upgrade path), writeFileSync preserves its current mode, so previously permissive files like 0644 remain readable by other users in multi-user environments. The fix needs an explicit chmod path for existing files after writing.

Useful? React with 👍 / 👎.

lib/config.js
function saveConfigFile(data) {
if (!fs.existsSync(CONFIG_DIR)) {
fs.mkdirSync(CONFIG_DIR, { recursive: true });
fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Enforce directory mode when config directory exists

Using mkdirSync(..., { recursive: true, mode: 0o700 }) does not correct permissions on an already-existing ~/.confluence-cli directory, so installs with older/broader directory modes (for example 0755) keep those permissions and are not fully hardened. Add an explicit chmod for the existing directory case.

Useful? React with 👍 / 👎.

pchuri
pchuri reviewed Mar 11, 2026
View reviewed changes
Copy link
Owner

@pchuri pchuri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution, @tokuhirom! Restricting config file permissions is an important security improvement.

I have one main concern:

Existing files/directories are not remediated

writeFileSync with { mode: 0o600 } and mkdirSync with { mode: 0o700 } only apply permissions when the file/directory is newly created. If a user already has config.json at 0644 or ~/.confluence-cli/ at 0755 (the common upgrade path), those permissions remain unchanged after this patch.

Suggested fix — add explicit chmodSync calls:

function saveConfigFile(data) {
  if (!fs.existsSync(CONFIG_DIR)) {
    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
  } else {
    fs.chmodSync(CONFIG_DIR, 0o700);
  }
  fs.writeFileSync(CONFIG_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
  fs.chmodSync(CONFIG_FILE, 0o600);
}

This ensures that every save operation tightens permissions regardless of whether the file/directory existed before.

It would also be great to add test coverage for the chmodSync calls on existing files.

Other than that, the test refactoring (captureConfigWrite destructuring) looks clean. Nice work!

@tokuhirom
fix: enforce permissions on existing config files via chmodSync
237eba1 
Add explicit chmodSync calls in saveConfigFile so that pre-existing
~/.confluence-cli/ directories and config.json files created before this
fix (typically 0755/0644) are tightened to 0o700/0o600 on every save.

Also add test coverage for chmodSync on existing files.
@tokuhirom
Copy link
Contributor Author

tokuhirom commented Mar 11, 2026

@pchuri thanks, i added the fix.

@pchuri
Copy link
Owner

pchuri commented Mar 11, 2026

Hi @tokuhirom, you mentioned that you added the fix, but I can only see the original commit (3f20a91). Could you push the follow-up commit with the chmodSync changes?

pchuri
pchuri approved these changes Mar 11, 2026
View reviewed changes
Copy link
Owner

@pchuri pchuri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! The follow-up commit properly addresses the feedback — chmodSync now enforces correct permissions on existing files/directories on every save. Test coverage looks solid too.

@pchuri pchuri merged commit 25ec54d into pchuri:main Mar 11, 2026
6 checks passed
github-actions bot pushed a commit that referenced this pull request Mar 11, 2026
@semantic-release-bot
chore(release): 1.27.1 [skip ci]
5474f01 
## [1.27.1](v1.27.0...v1.27.1) (2026-03-11)

### Bug Fixes

* restrict config file permissions to owner only ([#72](#72)) ([25ec54d](25ec54d))
@github-actions
Copy link

github-actions bot commented Mar 11, 2026

🎉 This PR is included in version 1.27.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@tokuhirom
Copy link
Contributor Author

tokuhirom commented Mar 12, 2026

i forgot push. thanks for merging :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@pchuri pchuri pchuri approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tokuhirom @pchuri