fix(security): harden credential storage and transmission
Problem: credential and cookie files were world-readable (0644), passwords transited via `CP_CREDENTIALS` env var (visible in `/proc/PID/environ`), and Kattis/USACO echoed passwords back through stdout unnecessarily. Solution: set 0600 permissions on `cp-nvim.json` and `cookies.json` after every write, pass credentials via stdin pipe instead of env var, and stop emitting passwords in ndjson from Kattis/USACO `LoginResult` (CSES token emission unchanged).
This commit is contained in:
parent
771dbc7753
commit
0c06b4a55a
GPG key ID:
A6C96C9349D2FC81
6 changed files with 10 additions and 9 deletions
|
|
@ -57,6 +57,7 @@ function M.load()
|
|||
|
||||
if vim.fn.filereadable(cache_file) == 0 then
|
||||
vim.fn.writefile({}, cache_file)
|
||||
vim.fn.setfperm(cache_file, 'rw-------')
|
||||
loaded = true
|
||||
return
|
||||
end
|
||||
|
|
@ -107,6 +108,7 @@ function M.save()
|
|||
local encoded = vim.json.encode(cache_data)
|
||||
local lines = vim.split(encoded, '\n')
|
||||
vim.fn.writefile(lines, cache_file)
|
||||
vim.fn.setfperm(cache_file, 'rw-------')
|
||||
end)
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue