fix(security): harden credential storage and transmission
Problem: credential and cookie files were world-readable (0644), passwords transited via `CP_CREDENTIALS` env var (visible in `/proc/PID/environ`), and Kattis/USACO echoed passwords back through stdout unnecessarily. Solution: set 0600 permissions on `cp-nvim.json` and `cookies.json` after every write, pass credentials via stdin pipe instead of env var, and stop emitting passwords in ndjson from Kattis/USACO `LoginResult` (CSES token emission unchanged).
This commit is contained in:
parent
771dbc7753
commit
0c06b4a55a
GPG key ID:
A6C96C9349D2FC81
6 changed files with 10 additions and 9 deletions
|
|
@ -117,6 +117,7 @@ function M.logout(platform)
|
|||
if ok and type(data) == 'table' then
|
||||
data[platform] = nil
|
||||
vim.fn.writefile({ vim.fn.json_encode(data) }, cookie_file)
|
||||
vim.fn.setfperm(cookie_file, 'rw-------')
|
||||
end
|
||||
end
|
||||
logger.log(display .. ' credentials cleared', { level = vim.log.levels.INFO, override = true })
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue