barrett/cp.nvim
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): harden credential storage and transmission (#369)
Some checks failed
luarocks / ci (push) Has been cancelled
Details
luarocks / publish (push) Has been cancelled
Details

Browse source 
## Problem

Credential and cookie files were world-readable (0644), passwords
transited via `CP_CREDENTIALS` env var (visible in `/proc/PID/environ`),
and Kattis/USACO echoed passwords back through stdout unnecessarily.

## Solution

Set 0600 permissions on `cp-nvim.json` and `cookies.json` after every
write, pass credentials via stdin pipe instead of env var, and stop
emitting passwords in ndjson from Kattis/USACO `LoginResult` (CSES token
emission unchanged).
This commit is contained in:
Barrett Ruth 2026-03-07 18:14:34 -05:00 committed by GitHub
parent 771dbc7753
commit b53c8ca44e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 131 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc/cp.nvim.txt
View file

@ -453,6 +453,7 @@ COMMANDS *cp-commands*
any previously saved credentials. any previously saved credentials.
If [platform] is omitted, uses the active platform. If [platform] is omitted, uses the active platform.
Examples: > Examples: >
:CP login
:CP login atcoder :CP login atcoder
:CP login codeforces :CP login codeforces
< <
@ -460,6 +461,7 @@ COMMANDS *cp-commands*
Remove stored credentials for a platform. Remove stored credentials for a platform.
If [platform] is omitted, uses the active platform. If [platform] is omitted, uses the active platform.
Examples: > Examples: >
:CP logout
:CP logout atcoder :CP logout atcoder
< <
:CP {platform} signup :CP {platform} signup

2
lua/cp/cache.lua
View file

@ -57,6 +57,7 @@ function M.load()
if vim.fn.filereadable(cache_file) == 0 then if vim.fn.filereadable(cache_file) == 0 then
vim.fn.writefile({}, cache_file) vim.fn.writefile({}, cache_file)
vim.fn.setfperm(cache_file, 'rw-------')
loaded = true loaded = true
return return
end end
@ -107,6 +108,7 @@ function M.save()
local encoded = vim.json.encode(cache_data) local encoded = vim.json.encode(cache_data)
local lines = vim.split(encoded, '\n') local lines = vim.split(encoded, '\n')
vim.fn.writefile(lines, cache_file) vim.fn.writefile(lines, cache_file)
vim.fn.setfperm(cache_file, 'rw-------')
end) end)
end end

54
lua/cp/commands/init.lua
View file

@ -326,6 +326,10 @@ local function parse_command(args)
end end
end end
if (first == 'login' or first == 'logout' or first == 'signup') and #args == 1 then
return { type = 'action', action = first, requires_context = true, platform = nil }
end
if #args == 1 then if #args == 1 then
return { return {
type = 'problem_jump', type = 'problem_jump',
@ -378,6 +382,7 @@ function M.handle_command(opts)
if not restore.restore_from_current_file() then if not restore.restore_from_current_file() then
return return
end end
vim.cmd.redraw()
end end
local setup = require('cp.setup') local setup = require('cp.setup')
@ -421,24 +426,45 @@ function M.handle_command(opts)
end end
vim.ui.open(url) vim.ui.open(url)
elseif cmd.action == 'login' then elseif cmd.action == 'login' then
if not check_platform_enabled(cmd.platform) then local p = cmd.platform or state.get_platform()
return if not p then
end
require('cp.credentials').login(cmd.platform)
elseif cmd.action == 'logout' then
if not check_platform_enabled(cmd.platform) then
return
end
require('cp.credentials').logout(cmd.platform)
elseif cmd.action == 'signup' then
local url = constants.SIGNUP_URLS[cmd.platform]
if not url then
logger.log( logger.log(
("No signup URL available for '%s'"):format(cmd.platform), 'No platform active. Usage: :CP <platform> login',
{ level = vim.log.levels.WARN } { level = vim.log.levels.ERROR }
) )
return return
end end
if not check_platform_enabled(p) then
return
end
require('cp.credentials').login(p)
elseif cmd.action == 'logout' then
local p = cmd.platform or state.get_platform()
if not p then
logger.log(
'No platform active. Usage: :CP <platform> logout',
{ level = vim.log.levels.ERROR }
)
return
end
if not check_platform_enabled(p) then
return
end
require('cp.credentials').logout(p)
elseif cmd.action == 'signup' then
local p = cmd.platform or state.get_platform()
if not p then
logger.log(
'No platform active. Usage: :CP <platform> signup',
{ level = vim.log.levels.ERROR }
)
return
end
local url = constants.SIGNUP_URLS[p]
if not url then
logger.log(("No signup URL available for '%s'"):format(p), { level = vim.log.levels.WARN })
return
end
vim.ui.open(url) vim.ui.open(url)
end end
elseif cmd.type == 'problem_jump' then elseif cmd.type == 'problem_jump' then

79
lua/cp/credentials.lua
View file

@ -14,46 +14,50 @@ local STATUS_MESSAGES = {
---@param platform string ---@param platform string
---@param display string ---@param display string
local function prompt_and_login(platform, display) local function prompt_and_login(platform, display)
vim.ui.input({ prompt = '[cp.nvim]: ' .. display .. ' username: ' }, function(username) vim.ui.input(
if not username or username == '' then { prompt = '[cp.nvim]: ' .. display .. ' username (<Esc> to cancel): ' },
logger.log('Cancelled', { level = vim.log.levels.WARN }) function(username)
return if not username or username == '' then
end logger.log(display .. ' login cancelled', { level = vim.log.levels.WARN })
vim.fn.inputsave() return
local password = vim.fn.inputsecret('[cp.nvim]: ' .. display .. ' password: ') end
vim.fn.inputrestore() vim.fn.inputsave()
if not password or password == '' then local password = vim.fn.inputsecret('[cp.nvim]: ' .. display .. ' password: ')
logger.log('Cancelled', { level = vim.log.levels.WARN }) vim.fn.inputrestore()
return if not password or password == '' then
end logger.log(display .. ' login cancelled', { level = vim.log.levels.WARN })
return
end
local credentials = { username = username, password = password } local credentials = { username = username, password = password }
local scraper = require('cp.scraper') local scraper = require('cp.scraper')
scraper.login(platform, credentials, function(ev) scraper.login(platform, credentials, function(ev)
vim.schedule(function() vim.schedule(function()
local msg = STATUS_MESSAGES[ev.status] or ev.status local msg = STATUS_MESSAGES[ev.status] or ev.status
logger.log(display .. ': ' .. msg, { level = vim.log.levels.INFO, override = true }) logger.log(display .. ': ' .. msg, { level = vim.log.levels.INFO, override = true })
end)
end, function(result)
vim.schedule(function()
if result.success then
cache.set_credentials(platform, credentials)
logger.log(
display .. ' login successful',
{ level = vim.log.levels.INFO, override = true }
)
else
local err = result.error or 'unknown error'
cache.clear_credentials(platform)
logger.log(
display .. ' login failed: ' .. (constants.LOGIN_ERRORS[err] or err),
{ level = vim.log.levels.ERROR }
)
prompt_and_login(platform, display)
end
end)
end) end)
end, function(result) end
vim.schedule(function() )
if result.success then
cache.set_credentials(platform, credentials)
logger.log(
display .. ' login successful',
{ level = vim.log.levels.INFO, override = true }
)
else
local err = result.error or 'unknown error'
cache.clear_credentials(platform)
logger.log(
display .. ' login failed: ' .. (constants.LOGIN_ERRORS[err] or err),
{ level = vim.log.levels.ERROR }
)
end
end)
end)
end)
end end
---@param platform string? ---@param platform string?
@ -117,6 +121,7 @@ function M.logout(platform)
if ok and type(data) == 'table' then if ok and type(data) == 'table' then
data[platform] = nil data[platform] = nil
vim.fn.writefile({ vim.fn.json_encode(data) }, cookie_file) vim.fn.writefile({ vim.fn.json_encode(data) }, cookie_file)
vim.fn.setfperm(cookie_file, 'rw-------')
end end
end end
logger.log(display .. ' credentials cleared', { level = vim.log.levels.INFO, override = true }) logger.log(display .. ' credentials cleared', { level = vim.log.levels.INFO, override = true })

6
lua/cp/scraper.lua
View file

@ -344,7 +344,7 @@ function M.login(platform, credentials, on_status, callback)
local done = false local done = false
run_scraper(platform, 'login', {}, { run_scraper(platform, 'login', {}, {
ndjson = true, ndjson = true,
env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) }, stdin = vim.json.encode(credentials),
on_event = function(ev) on_event = function(ev)
if ev.credentials ~= nil and next(ev.credentials) ~= nil then if ev.credentials ~= nil and next(ev.credentials) ~= nil then
require('cp.cache').set_credentials(platform, ev.credentials) require('cp.cache').set_credentials(platform, ev.credentials)
@ -392,9 +392,9 @@ function M.submit(
local done = false local done = false
run_scraper(platform, 'submit', { contest_id, problem_id, language, source_file }, { run_scraper(platform, 'submit', { contest_id, problem_id, language, source_file }, {
ndjson = true, ndjson = true,
env_extra = { CP_CREDENTIALS = vim.json.encode(credentials) }, stdin = vim.json.encode(credentials),
on_event = function(ev) on_event = function(ev)
if ev.credentials ~= nil then if ev.credentials ~= nil and next(ev.credentials) ~= nil then
require('cp.cache').set_credentials(platform, ev.credentials) require('cp.cache').set_credentials(platform, ev.credentials)
end end
if ev.status ~= nil then if ev.status ~= nil then

56
lua/cp/submit.lua
View file

@ -19,23 +19,27 @@ local function prompt_credentials(platform, callback)
callback(saved) callback(saved)
return return
end end
vim.ui.input({ prompt = platform .. ' username: ' }, function(username) local display = constants.PLATFORM_DISPLAY_NAMES[platform] or platform
if not username or username == '' then vim.ui.input(
logger.log('Submit cancelled', { level = vim.log.levels.WARN }) { prompt = '[cp.nvim]: ' .. display .. ' username (<Esc> to cancel): ' },
return function(username)
if not username or username == '' then
logger.log('Submit cancelled', { level = vim.log.levels.WARN })
return
end
vim.fn.inputsave()
local password = vim.fn.inputsecret('[cp.nvim]: ' .. display .. ' password: ')
vim.fn.inputrestore()
vim.cmd.redraw()
if not password or password == '' then
logger.log('Submit cancelled', { level = vim.log.levels.WARN })
return
end
local creds = { username = username, password = password }
cache.set_credentials(platform, creds)
callback(creds)
end end
vim.fn.inputsave() )
local password = vim.fn.inputsecret(platform .. ' password: ')
vim.fn.inputrestore()
vim.cmd.redraw()
if not password or password == '' then
logger.log('Submit cancelled', { level = vim.log.levels.WARN })
return
end
local creds = { username = username, password = password }
cache.set_credentials(platform, creds)
callback(creds)
end)
end end
---@param opts { language?: string }? ---@param opts { language?: string }?
@ -86,7 +90,7 @@ function M.submit(opts)
end end
end end
prompt_credentials(platform, function(creds) local function do_submit(creds)
vim.cmd.update() vim.cmd.update()
require('cp.scraper').submit( require('cp.scraper').submit(
@ -112,16 +116,24 @@ function M.submit(opts)
local err = result and result.error or 'unknown error' local err = result and result.error or 'unknown error'
if err == 'bad_credentials' or err:match('^Login failed') then if err == 'bad_credentials' or err:match('^Login failed') then
cache.clear_credentials(platform) cache.clear_credentials(platform)
logger.log(
'Submit failed: ' .. (constants.LOGIN_ERRORS[err] or err),
{ level = vim.log.levels.ERROR }
)
prompt_credentials(platform, do_submit)
else
logger.log(
'Submit failed: ' .. (constants.LOGIN_ERRORS[err] or err),
{ level = vim.log.levels.ERROR }
)
end end
logger.log(
'Submit failed: ' .. (constants.LOGIN_ERRORS[err] or err),
{ level = vim.log.levels.ERROR }
)
end end
end) end)
end end
) )
end) end
prompt_credentials(platform, do_submit)
end end
return M return M

4
plugin/cp.lua
View file

@ -43,6 +43,10 @@ end, {
vim.list_extend(candidates, platforms) vim.list_extend(candidates, platforms)
table.insert(candidates, 'cache') table.insert(candidates, 'cache')
table.insert(candidates, 'pick') table.insert(candidates, 'pick')
if platform then
table.insert(candidates, 'login')
table.insert(candidates, 'logout')
end
if platform and contest_id then if platform and contest_id then
vim.list_extend( vim.list_extend(
candidates, candidates,

6
scrapers/base.py
View file

@ -36,6 +36,7 @@ def save_platform_cookies(platform: str, data: Any) -> None:
existing = {} existing = {}
existing[platform] = data existing[platform] = data
_COOKIE_FILE.write_text(json.dumps(existing)) _COOKIE_FILE.write_text(json.dumps(existing))
_COOKIE_FILE.chmod(0o600)
def clear_platform_cookies(platform: str) -> None: def clear_platform_cookies(platform: str) -> None:
@ -43,6 +44,7 @@ def clear_platform_cookies(platform: str) -> None:
existing = json.loads(_COOKIE_FILE.read_text()) existing = json.loads(_COOKIE_FILE.read_text())
existing.pop(platform, None) existing.pop(platform, None)
_COOKIE_FILE.write_text(json.dumps(existing)) _COOKIE_FILE.write_text(json.dumps(existing))
_COOKIE_FILE.chmod(0o600)
except Exception: except Exception:
pass pass
@ -160,7 +162,7 @@ class BaseScraper(ABC):
).model_dump_json() ).model_dump_json()
) )
return 1 return 1
creds_raw = os.environ.get("CP_CREDENTIALS", "{}") creds_raw = sys.stdin.read()
try: try:
credentials = json.loads(creds_raw) credentials = json.loads(creds_raw)
except json.JSONDecodeError: except json.JSONDecodeError:
@ -173,7 +175,7 @@ class BaseScraper(ABC):
return 0 if result.success else 1 return 0 if result.success else 1
case "login": case "login":
creds_raw = os.environ.get("CP_CREDENTIALS", "{}") creds_raw = sys.stdin.read()
try: try:
credentials = json.loads(creds_raw) credentials = json.loads(creds_raw)
except json.JSONDecodeError: except json.JSONDecodeError:

2
scrapers/kattis.py
View file

@ -415,7 +415,6 @@ class KattisScraper(BaseScraper):
return LoginResult( return LoginResult(
success=True, success=True,
error="", error="",
credentials={"username": username, "password": password},
) )
print(json.dumps({"status": "logging_in"}), flush=True) print(json.dumps({"status": "logging_in"}), flush=True)
@ -426,7 +425,6 @@ class KattisScraper(BaseScraper):
return LoginResult( return LoginResult(
success=True, success=True,
error="", error="",
credentials={"username": username, "password": password},
) )

2
scrapers/usaco.py
View file

@ -533,7 +533,6 @@ class USACOScraper(BaseScraper):
return LoginResult( return LoginResult(
success=True, success=True,
error="", error="",
credentials={"username": username, "password": password},
) )
print(json.dumps({"status": "logging_in"}), flush=True) print(json.dumps({"status": "logging_in"}), flush=True)
@ -549,7 +548,6 @@ class USACOScraper(BaseScraper):
return LoginResult( return LoginResult(
success=True, success=True,
error="", error="",
credentials={"username": username, "password": password},
) )