Require CLI configuration files to only have the read and write user permission bits set

Problem to solve

The GitLab CLI trusts that the user level configuration can only be read and edited by the user class. However, it's possible that the configuration files are modifiable by anyone which can be considered unsafe (but not necessarily vulnerable). To harden the security of the GitLab CLI, the permissions of the files should be checked to ensure that they only the read and write permissions for user set. This is also the security model followed by OpenSSH (excerpt from the man page):

FILES
     ~/.ssh/config
             This is the per-user configuration file.  The format of this file is described above.  This file is used by the SSH client.  Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not writable by
             others.

     /etc/ssh/ssh_config
             Systemwide configuration file.  This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file.  This file must be world-readable.

Proposal

Check that CLI config file permissions matches 0o600 (octal notation in Go).

Further details

You can use fs.Stat to get the file's info which contains the FileMode (this has the file mode and permission bits).

Links / references

Edited Jun 13, 2024 by Oscar Tovar

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information