Summary
When HOME (and USERPROFILE) are unset, APW silently falls back to the current working directory as the root for its state:
rust/src/native_app.rs → home_dir() returns PathBuf::from(".") (only emits a warn log).rust/src/utils.rs → config_root() falls back to ".".to_string().
As a result, ./.apw/ ends up holding config.json, the broker socket, fallback-provider-session.json, and — under APW_DEMO=1 — credentials.json.
Why it matters
If apw is invoked with HOME unset (cron jobs, CI, daemonized contexts, sudo with a stripped environment, some sandboxes) while the working directory is a shared or world-readable location (e.g. /tmp, a build dir, a repo checkout), APW will create credential/config state there. Individual files are chmod 0600, but:
- The containing
./.apw directory may inherit a more permissive mode depending on umask/race, and its mere location is attacker-predictable.
- Credential/session files landing in a repo working tree risk being committed.
- A pre-existing attacker-controlled
./.apw (e.g. a planted socket or config) could be picked up.
Recommendation
Fail closed when HOME/USERPROFILE are both unset (return an InvalidConfig/ProcessNotRunning error) instead of writing secrets into the CWD. At minimum, refuse to create credentials.json, sockets, and config under a CWD fallback.
References
rust/src/native_app.rs (home_dir)rust/src/utils.rs (config_root)
Severity: Low
Filed by an automated deep security review.
Summary
When
HOME(andUSERPROFILE) are unset, APW silently falls back to the current working directory as the root for its state:rust/src/native_app.rs→home_dir()returnsPathBuf::from(".")(only emits awarnlog).rust/src/utils.rs→config_root()falls back to".".to_string().As a result,
./.apw/ends up holdingconfig.json, the broker socket,fallback-provider-session.json, and — underAPW_DEMO=1—credentials.json.Why it matters
If
apwis invoked withHOMEunset (cron jobs, CI, daemonized contexts,sudowith a stripped environment, some sandboxes) while the working directory is a shared or world-readable location (e.g./tmp, a build dir, a repo checkout), APW will create credential/config state there. Individual files arechmod 0600, but:./.apwdirectory may inherit a more permissive mode depending on umask/race, and its mere location is attacker-predictable../.apw(e.g. a planted socket or config) could be picked up.Recommendation
Fail closed when
HOME/USERPROFILEare both unset (return anInvalidConfig/ProcessNotRunningerror) instead of writing secrets into the CWD. At minimum, refuse to createcredentials.json, sockets, and config under a CWD fallback.References
rust/src/native_app.rs(home_dir)rust/src/utils.rs(config_root)Severity: Low
Filed by an automated deep security review.