usebruno/bruno

Consider using stronger ACL on Environment files

Open

#2 016 ouverte le 4 avr. 2024

Voir sur GitHub
 (1 commentaire) (1 réaction) (0 assignés)JavaScript (2 403 forks)batch import
good first issuehelp wantedmodule-environmentsmodule-filesystemmodule-security

Métriques du dépôt

Stars
 (43 787 stars)
Métriques de merge PR
 (Merge moyen 6j 21h) (96 PRs mergées en 30 j)

Description

Issue

When an Environment file is created, it is typically stored in the environments directory. On 'nix/BSD environments, those files are stored with world-readable perms (644 to be exact). While there is already some protection for sensitive data by using the "Secrets" checkbox, I could see people who accidentally/mistakenly still store sensitive creds and keys which could expose them.

I'd recommend you set an ACL for the Environment files to 600 by default. I can confirm that Bruno will continue to read and write to them just fine with those permissions set.

Guide contributeur