mirror of
https://github.com/NanmiCoder/cc-haha
synced 2026-07-18 13:23:33 +08:00
fix(adapters): harden credential file storage in pairing.ts
Three security improvements for adapters.json storage: - Use crypto.randomBytes for temp filename instead of predictable Date.now(), preventing TOCTOU symlink race during atomic write. - Enforce 0o600 permissions on adapters.json via writeFileSync mode option to prevent credential leakage via permissive umask. - Enforce 0o700 permissions on ~/.claude/ config directory via mkdirSync mode option. adapters.json contains sensitive credentials including Feishu app secrets and Telegram bot tokens.
This commit is contained in:
parent
c13fa75c3b
commit
9698307f27
@ -58,9 +58,9 @@ function readConfigFile(): Record<string, any> {
|
||||
function writeConfigFile(data: Record<string, any>): void {
|
||||
const filePath = getConfigPath()
|
||||
const dir = path.dirname(filePath)
|
||||
if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })
|
||||
const tmp = `${filePath}.tmp.${Date.now()}`
|
||||
fs.writeFileSync(tmp, JSON.stringify(data, null, 2) + '\n', 'utf-8')
|
||||
if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true, mode: 0o700 })
|
||||
const tmp = `${filePath}.tmp.${crypto.randomBytes(8).toString('hex')}`
|
||||
fs.writeFileSync(tmp, JSON.stringify(data, null, 2) + '\n', { encoding: 'utf-8', mode: 0o600 })
|
||||
fs.renameSync(tmp, filePath)
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user