security: harden file permissions, fix timing attack and API key exposure#52
Open
G2Bent wants to merge 1 commit into170-carry:mainfrom
Open
security: harden file permissions, fix timing attack and API key exposure#52G2Bent wants to merge 1 commit into170-carry:mainfrom
G2Bent wants to merge 1 commit into170-carry:mainfrom
Conversation
…sure - Add `constant_time_eq` crate and use constant-time comparison in `is_authorized()` to prevent timing side-channel attacks on the proxy API key - Redact API key from proxyd stdout (only print first 8 chars) to prevent the full key from being captured in systemd journal / logs - Add `private_create_new_options()` helper in utils.rs that opens files with O_CREAT | mode 0o600 on Unix atomically, eliminating the TOCTOU window between file creation and `chmod` - Use `private_create_new_options()` when writing auth.json, accounts store, api-proxy.key, and SSH private key temp files - Add `write_private_file()` helper in store.rs for shadow/corrupt backup writes that also sets 0o600 from the initial open - Improve `set_private_permissions()` on Windows to call `icacls` and restrict access to the current user (previously a no-op)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
proxy_service.rs中的 API Key 比较改为使用constant_time_eq,防止攻击者通过响应时间差推断 key 内容private_create_new_options()工具函数,在 Unix 上以mode(0o600)原子创建临时文件,避免文件创建后chmod前短暂对其他用户可读的窗口(涉及proxy_service.rs、auth.rs、store.rs、remote_service.rs中的 SSH 私钥临时文件)proxy_daemon.rs中输出 status 时仅打印 key 的前 8 位预览,不输出完整 keyutils.rs的set_private_permissions()在 Windows 上调用icacls移除 Everyone 权限,仅保留当前用户读写权限(原先为空实现)constant_time_eq = "0.3"依赖变更文件
src-tauri/Cargo.tomlconstant_time_eq依赖src-tauri/src/utils.rsprivate_create_new_options(),完善 Windowsset_private_permissions()src-tauri/src/proxy_service.rssrc-tauri/src/proxy_daemon.rssrc-tauri/src/auth.rssrc-tauri/src/store.rswrite_private_file()辅助函数src-tauri/src/remote_service.rsTest plan
0o600icacls调用成功限制文件权限🤖 Generated with Claude Code