fix: set restrictive file permissions in FilePersistence#8623
Open
tnorling wants to merge 5 commits into
Open
Conversation
Cache files created by FilePersistence use Node.js defaults (0644), making them world-readable. Set mode 0o600 for files and 0o700 for directories, with chmod after writes to harden existing files. Fixes SPADE CWE-276 vulnerability for Linux plaintext fallback path. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Verify that create(), save(), and saveBuffer() set 0o600 permissions, and that save() tightens permissions on pre-existing permissive files. Tests only run on POSIX platforms (Mac/Linux) where file modes apply. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens FilePersistence in @azure/msal-node-extensions by ensuring cache files are created/maintained with restrictive POSIX permissions, reducing the risk of token cache disclosure on Unix-like systems.
Changes:
- Enforced
0o600file permissions and0o700directory permissions during cache file/directory creation. - Added
chmodafter writes to tighten permissions on pre-existing permissive cache files. - Added non-Windows unit tests to validate file permission behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| extensions/msal-node-extensions/src/persistence/FilePersistence.ts | Applies restrictive file/directory modes and post-write chmod hardening. |
| extensions/msal-node-extensions/test/persistence/FilePersistence.spec.ts | Adds permission-focused tests on non-Windows platforms. |
| change/@azure-msal-node-extensions-c75a531e-3e89-4fe2-86d8-d551e766c890.json | Adds a changefile for the patch release. |
… changefile link format Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+53
to
+57
| await fs.writeFile(this.getFilePath(), contents, { | ||
| encoding: "utf-8", | ||
| mode: FILE_MODE, | ||
| }); | ||
| await fs.chmod(this.getFilePath(), FILE_MODE); |
Comment on lines
71
to
+75
| try { | ||
| await fs.writeFile(this.getFilePath(), contents); | ||
| await fs.writeFile(this.getFilePath(), contents, { | ||
| mode: FILE_MODE, | ||
| }); | ||
| await fs.chmod(this.getFilePath(), FILE_MODE); |
Comment on lines
+201
to
+204
| await fs.mkdir(dirname(this.filePath), { | ||
| recursive: true, | ||
| mode: DIR_MODE, | ||
| }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cache files created by FilePersistence use Node.js defaults (0644), making them world-readable. This sets mode 0o600 for files and 0o700 for directories, with chmod after writes to harden existing files.
Changes:
FILE_MODE = 0o600andDIR_MODE = 0o700constantssave(),saveBuffer(),createCacheFile(), andcreateFileDirectory()chmodafter writes to tighten permissions on existing filesImpact:
Fixes ADO #3607064