Require CLI configuration files to only have the read and write user permission bits set
Problem to solve
The GitLab CLI trusts that the user level configuration can only be read and edited by the user class. However, it's possible that the configuration files are modifiable by anyone which can be considered unsafe (but not necessarily vulnerable). To harden the security of the GitLab CLI, the permissions of the files should be checked to ensure that they only the read
and write
permissions for user
set. This is also the security model followed by OpenSSH (excerpt from the man page):
FILES
~/.ssh/config
This is the per-user configuration file. The format of this file is described above. This file is used by the SSH client. Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not writable by
others.
/etc/ssh/ssh_config
Systemwide configuration file. This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable.
Proposal
Check that CLI config file permissions matches 0o600
(octal notation in Go).
Further details
You can use fs.Stat to get the file's info which contains the FileMode
(this has the file mode and permission bits).
Links / references
Edited by Oscar Tovar