fix(security): harden credential storage and transmission

Problem: credential and cookie files were world-readable (0644), passwords transited via `CP_CREDENTIALS` env var (visible in `/proc/PID/environ`), and Kattis/USACO echoed passwords back through stdout unnecessarily. Solution: set 0600 permissions on `cp-nvim.json` and `cookies.json` after every write, pass credentials via stdin pipe instead of env var, and stop emitting passwords in ndjson from Kattis/USACO `LoginResult` (CSES token emission unchanged).
2026-03-07 18:01:54 -05:00 · 2026-03-07 18:01:54 -05:00 · 0c06b4a55a
commit 0c06b4a55a
parent 771dbc7753
6 changed files with 10 additions and 9 deletions
--- a/lua/cp/cache.lua
+++ b/lua/cp/cache.lua
@ -57,6 +57,7 @@ function M.load()

  if vim.fn.filereadable(cache_file) == 0 then
    vim.fn.writefile({}, cache_file)
+    vim.fn.setfperm(cache_file, 'rw-------')
    loaded = true
    return
  end
@ -107,6 +108,7 @@ function M.save()
    local encoded = vim.json.encode(cache_data)
    local lines = vim.split(encoded, '\n')
    vim.fn.writefile(lines, cache_file)
+    vim.fn.setfperm(cache_file, 'rw-------')
  end)
 end

--- a/lua/cp/credentials.lua
+++ b/lua/cp/credentials.lua
@ -117,6 +117,7 @@ function M.logout(platform)
    if ok and type(data) == 'table' then
      data[platform] = nil
      vim.fn.writefile({ vim.fn.json_encode(data) }, cookie_file)
+      vim.fn.setfperm(cookie_file, 'rw-------')
    end
  end
  logger.log(display .. ' credentials cleared', { level = vim.log.levels.INFO, override = true })
--- a/lua/cp/scraper.lua
+++ b/lua/cp/scraper.lua
@ -344,7 +344,7 @@ function M.login(platform, credentials, on_status, callback)
  local done = false
  run_scraper(platform, 'login', {}, {
    ndjson = true,
-    env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) },
+    stdin = vim.json.encode(credentials),
    on_event = function(ev)
      if ev.credentials ~= nil and next(ev.credentials) ~= nil then
        require('cp.cache').set_credentials(platform, ev.credentials)
@ -392,9 +392,9 @@ function M.submit(
  local done = false
  run_scraper(platform, 'submit', { contest_id, problem_id, language, source_file }, {
    ndjson = true,
-    env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) },
+    stdin = vim.json.encode(credentials),
    on_event = function(ev)
-      if ev.credentials ~= nil then
+      if ev.credentials ~= nil and next(ev.credentials) ~= nil then
        require('cp.cache').set_credentials(platform, ev.credentials)
      end
      if ev.status ~= nil then
--- a/scrapers/base.py
+++ b/scrapers/base.py
@ -36,6 +36,7 @@ def save_platform_cookies(platform: str, data: Any) -> None:
        existing = {}
    existing[platform] = data
    _COOKIE_FILE.write_text(json.dumps(existing))
+    _COOKIE_FILE.chmod(0o600)


 def clear_platform_cookies(platform: str) -> None:
@ -43,6 +44,7 @@ def clear_platform_cookies(platform: str) -> None:
        existing = json.loads(_COOKIE_FILE.read_text())
        existing.pop(platform, None)
        _COOKIE_FILE.write_text(json.dumps(existing))
+        _COOKIE_FILE.chmod(0o600)
    except Exception:
        pass

@ -160,7 +162,7 @@ class BaseScraper(ABC):
                        ).model_dump_json()
                    )
                    return 1
-                creds_raw = os.environ.get("CP_CREDENTIALS", "{}")
+                creds_raw = sys.stdin.read()
                try:
                    credentials = json.loads(creds_raw)
                except json.JSONDecodeError:
@ -173,7 +175,7 @@ class BaseScraper(ABC):
                return 0 if result.success else 1

            case "login":
-                creds_raw = os.environ.get("CP_CREDENTIALS", "{}")
+                creds_raw = sys.stdin.read()
                try:
                    credentials = json.loads(creds_raw)
                except json.JSONDecodeError:
--- a/scrapers/kattis.py
+++ b/scrapers/kattis.py
@ -415,7 +415,6 @@ class KattisScraper(BaseScraper):
                    return LoginResult(
                        success=True,
                        error="",
-                        credentials={"username": username, "password": password},
                    )

            print(json.dumps({"status": "logging_in"}), flush=True)
@ -426,7 +425,6 @@ class KattisScraper(BaseScraper):
        return LoginResult(
            success=True,
            error="",
-            credentials={"username": username, "password": password},
        )


--- a/scrapers/usaco.py
+++ b/scrapers/usaco.py
@ -533,7 +533,6 @@ class USACOScraper(BaseScraper):
                    return LoginResult(
                        success=True,
                        error="",
-                        credentials={"username": username, "password": password},
                    )

            print(json.dumps({"status": "logging_in"}), flush=True)
@ -549,7 +548,6 @@ class USACOScraper(BaseScraper):
        return LoginResult(
            success=True,
            error="",
-            credentials={"username": username, "password": password},
        )