fix(auth): tighten Windows credentials ACL (#104)#253
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughCredential permission tightening now handles Windows through ChangesCredential permission enforcement
Estimated code review effort: 3 (Moderate) | ~20 minutes Suggested reviewers: Sequence Diagram(s)sequenceDiagram
participant CredentialsWriter
participant ensureRestrictiveMode
participant spawnSync
participant WarningHandler
CredentialsWriter->>ensureRestrictiveMode: tighten credentials file permissions
ensureRestrictiveMode->>spawnSync: execute icacls with restrictive ACL arguments
spawnSync-->>ensureRestrictiveMode: return execution status
ensureRestrictiveMode->>WarningHandler: warn when username detection or ACL execution fails
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed: private package registry requires authentication. Disable ESLint in CodeRabbit settings or use public packages. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
zeshi-du
left a comment
There was a problem hiding this comment.
Real gap confirmed (chmod 0o600 is a no-op for Windows ACLs) — this was on our internal fix list and your icacls approach is the right one: spawnSync with an argv array and shell:false (injection-safe), graceful degradation when USERNAME is missing or icacls fails, and DI-based tests that exercise the win32 path cross-platform. One non-blocking follow-up we may do later: DOMAIN\username disambiguation on domain-joined machines. Thanks @naufalfx805-source!
What does this PR do?
Closes #104.
This stops the Windows credentials path from silently relying on POSIX
chmod(0o600), which Node cannot enforce on Windows ACLs.Changes:
win32,ensureRestrictiveMode()now runsicaclswith an args array:icacls <path> /inheritance:r /grant:r <USERNAME>:F.Verification
npm test -- src/lib/credentials.test.ts-> 24 passed, 1 skippednpm run lintnpm run typechecknpm run buildgit diff --checkSummary by CodeRabbit