[ARCH-327] Address security comments. 2 (#1760)

* Minor.

* Minor.

* Minor.

* Minor.

* Minor.

* Minor.

* Minor.

---------

Co-authored-by: Connor Stein <connor.stein2@gmail.com>

Author: pavel-raykov

keystore/file.go

@@ -5,7 +5,7 @@ import (
 	"context"
 	"os"
 
-	"github.com/natefinch/atomic"
+	"github.com/smartcontractkit/chainlink-common/keystore/internal/atomicfile"
 )
 
 var _ Storage = &FileStorage{}
@@ -26,5 +26,5 @@ func (f *FileStorage) GetEncryptedKeystore(ctx context.Context) ([]byte, error)
 }
 
 func (f *FileStorage) PutEncryptedKeystore(ctx context.Context, encryptedKeystore []byte) error {
-	return atomic.WriteFile(f.name, bytes.NewReader(encryptedKeystore))
+	return atomicfile.WriteFile(f.name, bytes.NewReader(encryptedKeystore), 0600)
 }

keystore/go.mod

@@ -6,7 +6,6 @@ require (
 	github.com/ethereum/go-ethereum v1.16.2
 	github.com/jmoiron/sqlx v1.4.0
 	github.com/lib/pq v1.10.9
-	github.com/natefinch/atomic v1.0.1
 	github.com/smartcontractkit/chainlink-common v0.9.6-0.20251107154219-ec6d8370ebbf
 	github.com/smartcontractkit/libocr v0.0.0-20250912173940-f3ab0246e23d
 	github.com/spf13/cobra v1.8.1

keystore/go.sum

@@ -235,8 +235,6 @@ github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
 github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A=
-github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=

keystore/internal/atomicfile/write.go

@@ -0,0 +1,71 @@
+package atomicfile
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+)
+
+// WriteFile atomically writes the contents of r to the specified filepath with the given mode.
+// This is a copy of https://github.com/natefinch/atomic/blob/master/atomic.go with minor modifications allowing
+// to set mode of the written file. If the file already exists, its mode is preserved.
+func WriteFile(filename string, r io.Reader, mode os.FileMode) (err error) {
+	// write to a temp file first, then we'll atomically replace the target file
+	// with the temp file.
+	dir, file := filepath.Split(filename)
+	if dir == "" {
+		dir = "."
+	}
+
+	f, err := os.CreateTemp(dir, file)
+	if err != nil {
+		return fmt.Errorf("cannot create temp file: %w", err)
+	}
+	defer func() {
+		if err != nil {
+			// Don't leave the temp file lying around on error.
+			_ = os.Remove(f.Name()) // yes, ignore the error, not much we can do about it.
+		}
+	}()
+	// ensure we always close f. Note that this does not conflict with the close below, as close is idempotent while
+	// it returns an error for repeating close operations.
+	defer f.Close() //nolint:errcheck
+	name := f.Name()
+	if _, err = io.Copy(f, r); err != nil {
+		return fmt.Errorf("cannot write data to tempfile %q: %w", name, err)
+	}
+	// fsync is important, otherwise os.Rename could rename a zero-length file
+	if err = f.Sync(); err != nil {
+		return fmt.Errorf("can't flush tempfile %q: %w", name, err)
+	}
+	if err = f.Close(); err != nil {
+		return fmt.Errorf("can't close tempfile %q: %w", name, err)
+	}
+
+	// get the file mode from the original file and use that for the replacement file, too.
+	destInfo, err := os.Stat(filename)
+	if os.IsNotExist(err) {
+		// no original file
+		if err = os.Chmod(name, mode); err != nil {
+			return fmt.Errorf("can't set filemode on tempfile %q: %w", name, err)
+		}
+	} else if err != nil {
+		return err
+	} else {
+		sourceInfo, err := os.Stat(name)
+		if err != nil {
+			return err
+		}
+
+		if sourceInfo.Mode() != destInfo.Mode() {
+			if err = os.Chmod(name, destInfo.Mode()); err != nil {
+				return fmt.Errorf("can't set filemode on tempfile %q: %w", name, err)
+			}
+		}
+	}
+	if err := os.Rename(name, filename); err != nil {
+		return fmt.Errorf("cannot replace %q with tempfile %q: %w", filename, name, err)
+	}
+	return nil
+}

keystore/internal/atomicfile/write_test.go

@@ -0,0 +1,24 @@
+package atomicfile
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestWriteFile_WriteAndRead(t *testing.T) {
+	mode := os.FileMode(0600)
+	path := filepath.Join(t.TempDir(), "out.txt")
+	data := []byte("test")
+	err := WriteFile(path, bytes.NewReader(data), mode)
+	require.NoError(t, err)
+	readData, err := os.ReadFile(path)
+	require.NoError(t, err)
+	require.Equal(t, readData, data)
+	info, err := os.Stat(path)
+	require.NoError(t, err)
+	require.Equal(t, mode, info.Mode())
+}

keystore/internal/raw_test.go

@@ -23,6 +23,8 @@ func TestRaw_nonprintable(t *testing.T) {
 
 	assert.Equal(t, exp, fmt.Sprintf("%#v", r))
 
+	assert.Equal(t, exp, fmt.Sprintf("%x", r))
+
 	assert.Equal(t, exp, fmt.Sprintf("%s", r)) //nolint:gosimple // S1025 deliberately testing formatting verbs
 
 	got, err := json.Marshal(r) //nolint:staticcheck // SA9005 deliberately testing marshalling