Merge pull request #1054 from GitGuardian/salomevoltz/scrt-5312-chang…

…e-auth_config-file-permissions chore: restrict auth_config file permissions
GitGuardian · Feb 5, 2025 · 920bbf7 · 920bbf7
2 parents a0e2230 + 8eaee75
commit 920bbf7
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/ggshield/core/config/auth_config.py b/ggshield/core/config/auth_config.py
@@ -130,7 +130,7 @@ def load(cls) -> "AuthConfig":
     def save(self) -> None:
         config_path = get_auth_config_filepath()
         data = prepare_auth_config_dict_for_save(self.to_dict())
-        save_yaml_dict(data, config_path)
+        save_yaml_dict(data, config_path, restricted=True)
 
     def get_instance(self, instance_name: str) -> InstanceConfig:
         for instance in self.instances:

diff --git a/ggshield/core/config/utils.py b/ggshield/core/config/utils.py
@@ -59,13 +59,20 @@ def load_yaml_dict(path: Union[str, Path]) -> Optional[Dict[str, Any]]:
     return data
 
 
-def save_yaml_dict(data: Dict[str, Any], path: Union[str, Path]) -> None:
+def save_yaml_dict(
+    data: Dict[str, Any], path: Union[str, Path], restricted: bool = False
+) -> None:
     p = Path(path)
     p.parent.mkdir(parents=True, exist_ok=True)
     with p.open("w") as f:
         try:
+            if restricted:
+                # Restrict file permissions: read and write for owner only (600)
+                p.chmod(0o600)
+
             stream = yaml.dump(data, indent=2, default_flow_style=False)
             f.write(stream)
+
         except Exception as e:
             raise UnexpectedError(f"Failed to save config to {path}:\n{str(e)}") from e