barrett/cp.nvim
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): harden credential storage and transmission

Browse source 
Problem: credential and cookie files were world-readable (0644),
passwords transited via `CP_CREDENTIALS` env var (visible in
`/proc/PID/environ`), and Kattis/USACO echoed passwords back
through stdout unnecessarily.

Solution: set 0600 permissions on `cp-nvim.json` and `cookies.json`
after every write, pass credentials via stdin pipe instead of env
var, and stop emitting passwords in ndjson from Kattis/USACO
`LoginResult` (CSES token emission unchanged).
This commit is contained in:
Barrett Ruth 2026-03-07 18:01:54 -05:00
parent 771dbc7753
commit 0c06b4a55a
Signed by: barrett
GPG key ID: A6C96C9349D2FC81
6 changed files with 10 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lua/cp/cache.lua
View file

@ -57,6 +57,7 @@ function M.load()
if vim.fn.filereadable(cache_file) == 0 then if vim.fn.filereadable(cache_file) == 0 then
vim.fn.writefile({}, cache_file) vim.fn.writefile({}, cache_file)
vim.fn.setfperm(cache_file, 'rw-------')
loaded = true loaded = true
return return
end end
@ -107,6 +108,7 @@ function M.save()
local encoded = vim.json.encode(cache_data) local encoded = vim.json.encode(cache_data)
local lines = vim.split(encoded, '\n') local lines = vim.split(encoded, '\n')
vim.fn.writefile(lines, cache_file) vim.fn.writefile(lines, cache_file)
vim.fn.setfperm(cache_file, 'rw-------')
end) end)
end end

1
lua/cp/credentials.lua
View file

@ -117,6 +117,7 @@ function M.logout(platform)
if ok and type(data) == 'table' then if ok and type(data) == 'table' then
data[platform] = nil data[platform] = nil
vim.fn.writefile({ vim.fn.json_encode(data) }, cookie_file) vim.fn.writefile({ vim.fn.json_encode(data) }, cookie_file)
vim.fn.setfperm(cookie_file, 'rw-------')
end end
end end
logger.log(display .. ' credentials cleared', { level = vim.log.levels.INFO, override = true }) logger.log(display .. ' credentials cleared', { level = vim.log.levels.INFO, override = true })

6
lua/cp/scraper.lua
View file

@ -344,7 +344,7 @@ function M.login(platform, credentials, on_status, callback)
local done = false local done = false
run_scraper(platform, 'login', {}, { run_scraper(platform, 'login', {}, {
ndjson = true, ndjson = true,
env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) }, stdin = vim.json.encode(credentials),
on_event = function(ev) on_event = function(ev)
if ev.credentials ~= nil and next(ev.credentials) ~= nil then if ev.credentials ~= nil and next(ev.credentials) ~= nil then
require('cp.cache').set_credentials(platform, ev.credentials) require('cp.cache').set_credentials(platform, ev.credentials)
@ -392,9 +392,9 @@ function M.submit(
local done = false local done = false
run_scraper(platform, 'submit', { contest_id, problem_id, language, source_file }, { run_scraper(platform, 'submit', { contest_id, problem_id, language, source_file }, {
ndjson = true, ndjson = true,
env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) }, stdin = vim.json.encode(credentials),
on_event = function(ev) on_event = function(ev)
if ev.credentials ~= nil then if ev.credentials ~= nil and next(ev.credentials) ~= nil then
require('cp.cache').set_credentials(platform, ev.credentials) require('cp.cache').set_credentials(platform, ev.credentials)
end end
if ev.status ~= nil then if ev.status ~= nil then

6
scrapers/base.py
View file

@ -36,6 +36,7 @@ def save_platform_cookies(platform: str, data: Any) -> None:
existing = {} existing = {}
existing[platform] = data existing[platform] = data
_COOKIE_FILE.write_text(json.dumps(existing)) _COOKIE_FILE.write_text(json.dumps(existing))
_COOKIE_FILE.chmod(0o600)
def clear_platform_cookies(platform: str) -> None: def clear_platform_cookies(platform: str) -> None:
@ -43,6 +44,7 @@ def clear_platform_cookies(platform: str) -> None:
existing = json.loads(_COOKIE_FILE.read_text()) existing = json.loads(_COOKIE_FILE.read_text())
existing.pop(platform, None) existing.pop(platform, None)
_COOKIE_FILE.write_text(json.dumps(existing)) _COOKIE_FILE.write_text(json.dumps(existing))
_COOKIE_FILE.chmod(0o600)
except Exception: except Exception:
pass pass
@ -160,7 +162,7 @@ class BaseScraper(ABC):
).model_dump_json() ).model_dump_json()
) )
return 1 return 1
creds_raw = os.environ.get("CP_CREDENTIALS", "{}") creds_raw = sys.stdin.read()
try: try:
credentials = json.loads(creds_raw) credentials = json.loads(creds_raw)
except json.JSONDecodeError: except json.JSONDecodeError:
@ -173,7 +175,7 @@ class BaseScraper(ABC):
return 0 if result.success else 1 return 0 if result.success else 1
case "login": case "login":
creds_raw = os.environ.get("CP_CREDENTIALS", "{}") creds_raw = sys.stdin.read()
try: try:
credentials = json.loads(creds_raw) credentials = json.loads(creds_raw)
except json.JSONDecodeError: except json.JSONDecodeError:

2
scrapers/kattis.py
View file

@ -415,7 +415,6 @@ class KattisScraper(BaseScraper):
return LoginResult( return LoginResult(
success=True, success=True,
error="", error="",
credentials={"username": username, "password": password},
) )
print(json.dumps({"status": "logging_in"}), flush=True) print(json.dumps({"status": "logging_in"}), flush=True)
@ -426,7 +425,6 @@ class KattisScraper(BaseScraper):
return LoginResult( return LoginResult(
success=True, success=True,
error="", error="",
credentials={"username": username, "password": password},
) )

2
scrapers/usaco.py
View file

@ -533,7 +533,6 @@ class USACOScraper(BaseScraper):
return LoginResult( return LoginResult(
success=True, success=True,
error="", error="",
credentials={"username": username, "password": password},
) )
print(json.dumps({"status": "logging_in"}), flush=True) print(json.dumps({"status": "logging_in"}), flush=True)
@ -549,7 +548,6 @@ class USACOScraper(BaseScraper):
return LoginResult( return LoginResult(
success=True, success=True,
error="", error="",
credentials={"username": username, "password": password},
) )