fix(python_repl): restrict permissions on persisted state and error logs#517
fix(python_repl): restrict permissions on persisted state and error logs#517yonib05 wants to merge 3 commits into
Conversation
The REPL state directory and pickle file hold the full REPL namespace, and the errors directory and errors.txt echo executed code. These were created with default permissions, leaving them readable by other users on a shared host. Create the directories mode 0o700 and write the files mode 0o600 via os.open so they are owner-only.
|
/strands-ts review |
ReviewThe permission-hardening approach is sound and the existing tests are well targeted. I found one gap worth closing:
This is exactly the upgrade scenario the change is meant to protect, and it's inconsistent with how the PR already handles the directories (explicit Change applied (commit
|
… files os.open with O_CREAT only applies the mode on creation, so fchmod the open descriptor to also restrict a pre-existing repl_state.pkl or errors.txt. Add regression tests for both.
|
/strands-ts review |
Review (pass 2)Re-reviewed after the
The original PR's Change applied (commit
|
os.fchmod is POSIX-only and raises AttributeError on Windows. Guard both calls with hasattr(os, 'fchmod'); on Windows the O_CREAT mode still applies, matching prior behavior.
Description
python_replpersists the REPL namespace torepl_state/repl_state.pklandappends executed code and tracebacks to
errors/errors.txt. Both thedirectories and files were created with default permissions, so on a shared
host they could be readable by other local users even though they may hold
sensitive values from the session.
This change creates those directories with mode
0o700and writes the fileswith mode
0o600(viaos.open), so they are owner-only.Changes
mode=0o700andos.chmodthem to0o700(covering the already-exists case).repl_state.pklanderrors.txtthroughos.open(..., 0o600).Testing
TestStatePermissionsasserting no group/other permission bits are seton the persistence directory and the state file.
pytest tests/test_python_repl.pypasses.ruff format --checkandruff checkpass on the changed files.