From 2ddcc1aee2758d7aad580d617396062a4802709e Mon Sep 17 00:00:00 2001 From: Chenhao Tan Date: Sun, 1 Mar 2026 16:08:43 +0000 Subject: [PATCH] Restrict file permissions on config.json containing secrets Set config directory to 0o700 and config file to 0o600 using temp file + atomic rename pattern to prevent other users from reading stored credentials. Closes #12 Co-Authored-By: Claude Opus 4.6 --- README.md | 2 +- minbot/config.py | 19 ++++++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4ebd162..b66a153 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ A lightweight Telegram bot that monitors GitHub issues, estimates difficulty/urgency, suggests what to work on, and can autonomously work on issues using Claude Code. -📏 Core bot in **1171 lines** of Python (run `bash core_lines.sh` to verify) +📏 Core bot in **1188 lines** of Python (run `bash core_lines.sh` to verify) ## Quick Start diff --git a/minbot/config.py b/minbot/config.py index 386ed46..b4f07bb 100644 --- a/minbot/config.py +++ b/minbot/config.py @@ -1,4 +1,7 @@ +import contextlib import json +import os +import tempfile from pathlib import Path from pydantic import BaseModel @@ -23,4 +26,18 @@ def load_config(path: Path = CONFIG_PATH) -> Config: def save_config(config: Config, path: Path = CONFIG_PATH) -> None: path.parent.mkdir(parents=True, exist_ok=True) - path.write_text(config.model_dump_json(indent=2)) + os.chmod(path.parent, 0o700) + fd, tmp = tempfile.mkstemp(dir=path.parent, suffix=".tmp") + closed = False + try: + os.write(fd, config.model_dump_json(indent=2).encode()) + os.fchmod(fd, 0o600) + os.close(fd) + closed = True + os.rename(tmp, path) + except BaseException: + if not closed: + os.close(fd) + with contextlib.suppress(FileNotFoundError): + os.unlink(tmp) + raise