Security Fix: Restrict file permissions in copilot-agents.go (Alert #383)

[github-actions]

Security Fix: Incorrect Default Permissions

Alert Number: #383
Severity: Medium
Rule: G306 - Incorrect Default Permissions
File: pkg/cli/copilot-agents.go:53

Vulnerability Description

The security scanner identified that files were being written with overly permissive permissions (0644) when they should use more restrictive permissions (0600 or less). The affected code writes agent templates and Copilot instructions files that may contain sensitive configuration information.

With 0644 permissions (rw-r--r--), these files are:

• Readable and writable by the owner
• Readable by the group
• Readable by all other users

This violates the principle of least privilege, as configuration files should only be accessible to the owner unless there's a specific need for broader access.

Fix Applied

Changed file permissions from 0644 to 0600 in the ensureFileMatchesTemplate() function at line 54.

Before:

// Write the file
if err := os.WriteFile(targetPath, []byte(templateContent), 0644); err != nil {

After:

// Write the file with restrictive permissions (0600) to follow security best practices
// Agent files and instructions may contain sensitive configuration
if err := os.WriteFile(targetPath, []byte(templateContent), 0600); err != nil {

With 0600 permissions (rw-------), files are:

• Readable and writable by the owner only
• Not accessible to group or other users

Security Best Practices Applied

• Principle of Least Privilege: Files are created with the minimum necessary permissions
• Defense in Depth: Even if the directory permissions are permissive, individual files remain protected
• Secure by Default: Configuration files are private by default unless explicitly shared
• CWE-732 Prevention: Prevents "Incorrect Permission Assignment for Critical Resource"

Files Affected

This fix applies to:

• .github/agents/*.agent.md files (agent templates)
• .github/aw/github-agentic-workflows.md (Copilot instructions)

All files written by the ensureFileMatchesTemplate() function now use restrictive permissions.

Testing

• Build succeeded: go build ./pkg/cli/... ✓
• No breaking changes: Functionality remains identical
• Permissions are applied at file creation time
• Existing tests continue to pass

Impact Assessment

Risk: Low
Breaking Changes: None
Backwards Compatibility: Full
Performance: No impact

Users may notice that newly created agent/instruction files have more restrictive permissions, which is the intended security improvement. Existing files retain their current permissions until they are updated.

References

• CWE-732: Incorrect Permission Assignment for Critical Resource
• OWASP: [File Permission Issues]((redacted)
• gosec Rule G306: Expect WriteFile permissions to be 0600 or less

---

🤖 Generated with gh-aw security fix agent
Triggered by: @pelikhan
Workflow Run: #20686947569

AI generated by Security Fix PR