fix(adapters): harden credential file storage in pairing.ts

Three security improvements for adapters.json storage:

- Use crypto.randomBytes for temp filename instead of predictable
  Date.now(), preventing TOCTOU symlink race during atomic write.
- Enforce 0o600 permissions on adapters.json via writeFileSync mode
  option to prevent credential leakage via permissive umask.
- Enforce 0o700 permissions on ~/.claude/ config directory via
  mkdirSync mode option.

adapters.json contains sensitive credentials including Feishu app
secrets and Telegram bot tokens.
This commit is contained in:
Ziang Xie 2026-05-02 00:40:44 +08:00
parent c13fa75c3b
commit 9698307f27

View File

@ -58,9 +58,9 @@ function readConfigFile(): Record<string, any> {
function writeConfigFile(data: Record<string, any>): void {
const filePath = getConfigPath()
const dir = path.dirname(filePath)
if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true })
const tmp = `${filePath}.tmp.${Date.now()}`
fs.writeFileSync(tmp, JSON.stringify(data, null, 2) + '\n', 'utf-8')
if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true, mode: 0o700 })
const tmp = `${filePath}.tmp.${crypto.randomBytes(8).toString('hex')}`
fs.writeFileSync(tmp, JSON.stringify(data, null, 2) + '\n', { encoding: 'utf-8', mode: 0o600 })
fs.renameSync(tmp, filePath)
}