fix(security): harden credential storage and transmission

Problem: credential and cookie files were world-readable (0644), passwords transited via `CP_CREDENTIALS` env var (visible in `/proc/PID/environ`), and Kattis/USACO echoed passwords back through stdout unnecessarily. Solution: set 0600 permissions on `cp-nvim.json` and `cookies.json` after every write, pass credentials via stdin pipe instead of env var, and stop emitting passwords in ndjson from Kattis/USACO `LoginResult` (CSES token emission unchanged).
2026-03-07 18:01:54 -05:00 · 2026-03-07 18:01:54 -05:00 · 0c06b4a55a
commit 0c06b4a55a
parent 771dbc7753
6 changed files with 10 additions and 9 deletions
--- a/lua/cp/scraper.lua
+++ b/lua/cp/scraper.lua
@ -344,7 +344,7 @@ function M.login(platform, credentials, on_status, callback)
  local done = false
  run_scraper(platform, 'login', {}, {
    ndjson = true,
-    env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) },
+    stdin = vim.json.encode(credentials),
    on_event = function(ev)
      if ev.credentials ~= nil and next(ev.credentials) ~= nil then
        require('cp.cache').set_credentials(platform, ev.credentials)
@ -392,9 +392,9 @@ function M.submit(
  local done = false
  run_scraper(platform, 'submit', { contest_id, problem_id, language, source_file }, {
    ndjson = true,
-    env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) },
+    stdin = vim.json.encode(credentials),
    on_event = function(ev)
-      if ev.credentials ~= nil then
+      if ev.credentials ~= nil and next(ev.credentials) ~= nil then
        require('cp.cache').set_credentials(platform, ev.credentials)
      end
      if ev.status ~= nil then