Merge pull request from GHSA-j5fj-rfh6-qj85

enforce restricting secret file permissions to user read/write
planetlabs · May 11, 2023 · 9b9becc · 9b9becc
2 parents 9783607 + 5ee4bd2
commit 9b9becc
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 5 deletions.
diff --git a/planet/auth.py b/planet/auth.py
@@ -19,15 +19,16 @@
 import logging
 import os
 import pathlib
+import stat
 import typing
+from typing import Optional
 
 import httpx
 import jwt
 
 from . import http
 from .constants import ENV_API_KEY, PLANET_BASE_URL, SECRET_FILE_PATH
 from .exceptions import AuthException
-from typing import Optional
 
 LOGGER = logging.getLogger(__name__)
 
@@ -226,8 +227,15 @@ def value(self):
 
 class _SecretFile:
 
-    def __init__(self, path):
-        self.path = path
+    def __init__(self, path: typing.Union[str, pathlib.Path]):
+        self.path = pathlib.Path(path)
+
+        self.permissions = stat.S_IRUSR | stat.S_IWUSR  # user rw
+
+        # in sdk versions <=2.0.0, secret file was created with the wrong
+        # permissions, fix this automatically as well as catching the unlikely
+        # cases where the permissions get changed externally
+        self._enforce_permissions()
 
     def write(self, contents: dict):
         try:
@@ -240,11 +248,24 @@ def write(self, contents: dict):
 
     def _write(self, contents: dict):
         LOGGER.debug(f'Writing to {self.path}')
-        with open(self.path, 'w') as fp:
+
+        def opener(path, flags):
+            return os.open(path, flags, self.permissions)
+
+        with open(self.path, 'w', opener=opener) as fp:
             fp.write(json.dumps(contents))
 
     def read(self) -> dict:
         LOGGER.debug(f'Reading from {self.path}')
         with open(self.path, 'r') as fp:
             contents = json.loads(fp.read())
         return contents
+
+    def _enforce_permissions(self):
+        '''if the file's permissions are not what they should be, fix them'''
+        if self.path.exists():
+            # in octal, permissions is the last three bits of the mode
+            file_permissions = self.path.stat().st_mode & 0o777
+            if file_permissions != self.permissions:
+                LOGGER.info('Fixing planet secret file permissions.')
+                self.path.chmod(self.permissions)
diff --git a/tests/unit/test_auth.py b/tests/unit/test_auth.py
@@ -31,7 +31,7 @@ def test_secretfile_read():
 
 @pytest.fixture
 def secret_path(monkeypatch, tmp_path):
-    secret_path = str(tmp_path / '.test')
+    secret_path = tmp_path / '.test'
     monkeypatch.setattr(auth, 'SECRET_FILE_PATH', secret_path)
     yield secret_path
 
@@ -138,3 +138,19 @@ def test_Auth_store_exists(tmp_path):
 
     with open(secret_path, 'r') as fp:
         assert json.loads(fp.read()) == {"key": "test", "existing": "exists"}
+
+
+def test__SecretFile_permissions_doesnotexist(secret_path):
+    '''No exception is raised if the file doesn't exist'''
+    auth._SecretFile(secret_path)
+
+
+def test__SecretFile_permissions_incorrect(secret_path):
+    '''Incorrect permissions are fixed'''
+    with open(secret_path, 'w') as fp:
+        fp.write('{"existing": "exists"}')
+
+    secret_path.chmod(0o666)
+
+    auth._SecretFile(secret_path)
+    assert secret_path.stat().st_mode & 0o777 == 0o600