Consider using stronger ACL on Environment files · usebruno/bruno#2016

(1 留言) (1 反應) (0 負責人)JavaScript (43,787 star) (2,403 fork)batch import

good first issuehelp wantedmodule-environmentsmodule-filesystemmodule-security

描述

Issue

When an Environment file is created, it is typically stored in the environments directory. On 'nix/BSD environments, those files are stored with world-readable perms (644 to be exact). While there is already some protection for sensitive data by using the "Secrets" checkbox, I could see people who accidentally/mistakenly still store sensitive creds and keys which could expose them.

I'd recommend you set an ACL for the Environment files to 600 by default. I can confirm that Bruno will continue to read and write to them just fine with those permissions set.

貢獻者指南

技術棧: javascriptelectron
領域: securitydesktop
議題類型: feature
難度: 3
預計時間: 1-3 hours
活動狀態: fresh
清晰度: clear
前置要求: Node.js file systemchmod usage
新手友善度: 75
研究方向: The issue proposes modifying the default file permissions for environment files from 644 to 600. Look for the code that creates environment files, likely in the app's file handling modules. The change is straightforward: set the file mode to 0o600 when writing. Test that reading and writing still works after the change.