negodiy/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): create session transcript files with 0o600 permissions (#18066)

Browse Source 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 962f497d242c5affa9b610f38f3dc7844426198d
Co-authored-by: brandonwise <21148772+brandonwise@users.noreply.github.com>
Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com>
Reviewed-by: @sebslight
This commit is contained in:
brandonwise
2026-02-16 08:33:40 -05:00
committed by GitHub
parent 6931f0fb50
commit 095d522099
6 changed files with 32 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/security/fix.test.ts
View File

@@ -255,6 +255,9 @@ describe("security fix", () => {
const sessionsStorePath = path.join(sessionsDir, "sessions.json");
await fs.writeFile(sessionsStorePath, "{}\n", "utf-8");
await fs.chmod(sessionsStorePath, 0o644);
const transcriptPath = path.join(sessionsDir, "sess-main.jsonl");
await fs.writeFile(transcriptPath, '{"type":"session"}\n', "utf-8");
await fs.chmod(transcriptPath, 0o644);
const env = {
...process.env,
@@ -269,6 +272,7 @@ describe("security fix", () => {
expectPerms((await fs.stat(allowFromPath)).mode & 0o777, 0o600);
expectPerms((await fs.stat(authProfilesPath)).mode & 0o777, 0o600);
expectPerms((await fs.stat(sessionsStorePath)).mode & 0o777, 0o600);
expectPerms((await fs.stat(transcriptPath)).mode & 0o777, 0o600);
expectPerms((await fs.stat(includePath)).mode & 0o777, 0o600);
});
});

15
src/security/fix.ts
View File

@@ -366,6 +366,21 @@ async function chmodCredentialsAndAgentState(params: {
const storePath = path.join(sessionsDir, "sessions.json");
// eslint-disable-next-line no-await-in-loop
params.actions.push(await params.applyPerms({ path: storePath, mode: 0o600, require: "file" }));
// Fix permissions on session transcript files (*.jsonl)
// eslint-disable-next-line no-await-in-loop
const sessionEntries = await fs.readdir(sessionsDir, { withFileTypes: true }).catch(() => []);
for (const entry of sessionEntries) {
if (!entry.isFile()) {
continue;
}
if (!entry.name.endsWith(".jsonl")) {
continue;
}
const p = path.join(sessionsDir, entry.name);
// eslint-disable-next-line no-await-in-loop
params.actions.push(await params.applyPerms({ path: p, mode: 0o600, require: "file" }));
}
}
}