Skip to content

Set secure file permissions (0600) for config.yaml files #7818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Set secure file permissions (0600) for config.yaml files #7818

wants to merge 2 commits into from

Conversation

continue[bot]
Copy link
Contributor

@continue continue bot commented Sep 17, 2025
edited by cubic-dev-ai bot
Loading

Config files containing API keys and other sensitive data should not be world-readable. This PR changes the file creation mode to 0600 (owner read/write only) when creating or updating config.yaml files.

Changes:

  • Modified getConfigYamlPath() in core/util/paths.ts to set mode 0600 when creating initial config.yaml
  • Modified editConfigYaml() in core/util/paths.ts to set mode 0600 when updating config.yaml
  • Modified config conversion command in extensions/vscode/src/commands.ts to set mode 0600

Security Impact:
This prevents accidentally exposing API keys and other credentials in config.yaml to other users on multi-user systems.

Summary by cubic

Set config.yaml permissions to 0600 (owner read/write only) when creating or updating the file in both core and VS Code extension paths. This prevents world-readable configs and reduces the risk of leaking API keys on multi-user systems.

@sestinj
Set secure file permissions (0600) for config.yaml files
d23aecf 
Config files containing API keys and other sensitive data should not be
world-readable. Changed fs.writeFileSync calls to use mode 0o600 (owner
read/write only) when creating or updating config.yaml files.

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <noreply@continue.dev>
@continue continue bot requested a review from a team as a code owner September 17, 2025 22:13
@continue continue bot requested review from tingwai and removed request for a team September 17, 2025 22:13
@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Sep 17, 2025
@github-actions GitHub Actions
Copy link

⚠️ PR Title Format

Your PR title doesn't follow the conventional commit format, but this won't block your PR from being merged. We recommend using this format for better project organization.

Expected Format:

<type>[optional scope]: <description>

Examples:

  • feat: add changelog generation support
  • fix: resolve login redirect issue
  • docs: update README with new instructions
  • chore: update dependencies

Valid Types:

feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert

This helps with:

  • 📝 Automatic changelog generation
  • 🚀 Automated semantic versioning
  • 📊 Better project history tracking

This is a non-blocking warning - your PR can still be merged without fixing this.

@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tingwai tingwai Awaiting requested review from tingwai tingwai is a code owner automatically assigned from continuedev/continue-code-reviewers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
size:S This PR changes 10-29 lines, ignoring generated files.
Projects
Issues and PRs
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sestinj