barrett/cp.nvim
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): harden credential storage and transmission (#369)
Some checks failed
luarocks / ci (push) Has been cancelled
Details
luarocks / publish (push) Has been cancelled
Details

Browse source 
## Problem

Credential and cookie files were world-readable (0644), passwords
transited via `CP_CREDENTIALS` env var (visible in `/proc/PID/environ`),
and Kattis/USACO echoed passwords back through stdout unnecessarily.

## Solution

Set 0600 permissions on `cp-nvim.json` and `cookies.json` after every
write, pass credentials via stdin pipe instead of env var, and stop
emitting passwords in ndjson from Kattis/USACO `LoginResult` (CSES token
emission unchanged).
This commit is contained in:
Barrett Ruth 2026-03-07 18:14:34 -05:00 committed by GitHub
parent 771dbc7753
commit b53c8ca44e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 131 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lua/cp/scraper.lua
View file

@ -344,7 +344,7 @@ function M.login(platform, credentials, on_status, callback)
local done = false
run_scraper(platform, 'login', {}, {
ndjson = true,
env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) },
stdin = vim.json.encode(credentials),
on_event = function(ev)
if ev.credentials ~= nil and next(ev.credentials) ~= nil then
require('cp.cache').set_credentials(platform, ev.credentials)
@ -392,9 +392,9 @@ function M.submit(
local done = false
run_scraper(platform, 'submit', { contest_id, problem_id, language, source_file }, {
ndjson = true,
env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) },
stdin = vim.json.encode(credentials),
on_event = function(ev)
if ev.credentials ~= nil then
if ev.credentials ~= nil and next(ev.credentials) ~= nil then
require('cp.cache').set_credentials(platform, ev.credentials)
end
if ev.status ~= nil then