[wrangler] Write auth config file with mode 0600 and re-chmod on save#14170
Conversation
Tighten the on-disk permissions of the OAuth credentials file written by 'wrangler login' so other local users on shared hosts can no longer read the stored tokens. Existing files with looser permissions from older Wrangler versions are tightened on the next refresh / login. The 'mode: 0o600' option on writeFileSync only applies when the file is created; an explicit chmodSync after the write covers the already-existing-file case too.
🦋 Changeset detectedLatest commit: af852cc The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Codeowners approval required for this PR:
Show detailed file reviewers |
|
The change centralizes through Let me consider the TOCTOU concern more concretely. For a pre-existing file with 0644 ownership belonging to the user, The code is correct, follows conventions (uses LGTM |
|
✅ All changesets look good |
create-cloudflare
@cloudflare/deploy-helpers
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-auth
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
@cloudflare/wrangler-bundler
commit: |
workers-devprod
left a comment
There was a problem hiding this comment.
Codeowners reviews satisfied
Tighten on-disk permissions of the Wrangler OAuth credentials file to
0600and re-chmodon every save so other local users on shared hosts cannot read the stored tokens.This is the auth-config-file slice of the broader REVIEW-17452 security hardening — extracted here as a stand-alone defence-in-depth change against the user-credentials file. Other parts of the original review apply only to the WebSocket-callback OAuth flow that is not yet on
mainand will land separately.What changes
writeAuthConfigFilein@cloudflare/workers-authnow passesmode: 0o600towriteFileSyncso newly-created files are tight from the start, and follows the write with an explicitchmodSync(path, 0o600)so files written by older Wrangler versions (or with a looser process umask) get tightened on the next refresh / login.Why both
modeandchmodSyncNode's
writeFileSync({ mode })option is only honoured when the file is being created — if the file already exists, the option is silently ignored. The explicitchmodSynccovers the upgrade path where an olddefault.tomlalready exists with0o644.wrangler login; there is no user-visible API surface or configuration knob.