Skip to content

fix(security) : Restrict credential file path to home directory#1147

Open
l3tchupkt wants to merge 4 commits intogoogle:masterfrom
l3tchupkt:fix/auth-path-injection
Open

fix(security) : Restrict credential file path to home directory#1147
l3tchupkt wants to merge 4 commits intogoogle:masterfrom
l3tchupkt:fix/auth-path-injection

Conversation

@l3tchupkt
Copy link
Copy Markdown
Contributor

@l3tchupkt l3tchupkt commented Apr 9, 2026
edited
Loading

fixes(#1148)
Prevent credential theft by validating --auth paths and blocking
symlink attacks that could exfiltrate OAuth tokens.

Changes:

  • Enforce credential files must be within home directory
  • Detect and block symlinks pointing outside home (~/safe -> /tmp)
  • Use O_NOFOLLOW | O_EXCL for atomic credential writes
  • Maintain 0o600 permissions on credential files

Fixes: Credential path injection and symlink bypass vulnerabilities

  • [ x] npm run test succeeds.
  • [x ] npm run lint succeeds.
  • Appropriate changes to README are included in PR.

@l3tchupkt
fix(auth): restrict credential file path to home directory
6bd8581 
Prevent credential theft by validating that --auth path is strictly
within the user's home directory. Blocks attacks that attempt to
store credentials in world-readable locations like /tmp or /var/tmp
for later exfiltration by an attacker.

- Resolve path before validation
- Check resolved path is within os.homedir()
- Clear error message on validation failure
@l3tchupkt
harden(auth): CVE-grade credential file protection
1b8ec17 
- Add symlink detection before credential write
- Use O_NOFOLLOW | O_EXCL for atomic safe writes
- Check realpath of home directory to bypass symlink tricks
- Add race condition detection (EEXIST error handling)
@l3tchupkt
harden(auth): fix logout test failures, only check symlink on write
7581b2c
@l3tchupkt l3tchupkt mentioned this pull request Apr 9, 2026
Open
@l3tchupkt l3tchupkt changed the title Restrict credential file path to home directory fix(security) : Restrict credential file path to home directory Apr 10, 2026
@l3tchupkt
Copy link
Copy Markdown
Contributor Author

l3tchupkt commented Apr 10, 2026

@sqrrrl please review!!

@sqrrrl
Copy link
Copy Markdown
Member

sqrrrl commented Apr 14, 2026

Have to think about this one. May be too restrictive given the nature of the tool.

There are legitimate use cases for secrets outside the home directory. Some CI/CD platforms allow mounting secrets as files. Currently have the --auth flag documented as deprecated, but it still may have some utility.

Can you split this into two parts? I think most of the changes are OK (don't follow symlinks, maintaining correct file permissions, etc.) but the path part I'm less confident about.

Alternatively, may be worth adding an option flag like --allow-unsafe-paths for this and other recent changes that may break some less common use cases.

@l3tchupkt
Copy link
Copy Markdown
Contributor Author

l3tchupkt commented Apr 14, 2026

@sqrrrl Makes sense 👍

Goal was to prevent credential leaks since unsafe paths or symlinks can expose tokens (like in /tmp or CI mounts). But yeah, blocking might break real use cases.

I’ll split it:

  • keep safe writes + no symlinks + strict perms
  • change path check to warning
  • add --allow-unsafe-paths if needed

Let me know your thoughts.

@sqrrrl
Copy link
Copy Markdown
Member

sqrrrl commented Apr 27, 2026

sounds good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@l3tchupkt @sqrrrl