fix: Restrict credential file permissions to owner-only#11870
Merged
anthonyshew merged 1 commit intomainfrom Feb 17, 2026
Merged
fix: Restrict credential file permissions to owner-only#11870anthonyshew merged 1 commit intomainfrom
anthonyshew merged 1 commit intomainfrom
Conversation
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Congrats! CodSpeed is installed 🎉
You will start to see performance impacts in the reports once the benchmarks are run from your default branch.
|
Credential files (config.json, auth.json) were created via fs::File::create() which inherits the process umask, typically resulting in world-readable 0o644 permissions. On shared systems, this allowed other local users to read Vercel API tokens. Add create_with_contents_secret() that sets 0o600 atomically at file creation time on Unix, and explicitly tightens permissions on pre-existing files. Use it for all credential write paths: turbo login, auth token refresh, and logout config rewrite.
3a41a76 to
619dc15
Compare
Contributor
Coverage Report
|
github-actions Bot
added a commit
that referenced
this pull request
Feb 17, 2026
## Release v2.8.10-canary.3 Versioned docs: https://v2-8-10-canary-3.turborepo.dev ### Changes - release(turborepo): 2.8.10-canary.2 (#11873) (`3970226`) - perf: Replace twox-hash with xxhash-rust and optimize file hashing (#11874) (`c4f3325`) - fix: Restrict credential file permissions to owner-only (#11870) (`dba6568`) - perf: Reduce allocations in globwalk (#11528) (`227ce2d`) - fix: Sanitize git command inputs in create-turbo (#11876) (`1d53b4f`) --------- Co-authored-by: Turbobot <turbobot@vercel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Credential files (
config.json,auth.json) were created withfs::File::create()which inherits the process umask — typically0o644(world-readable) on Unix. On shared multi-user systems, this allowed any local user to read another user's Vercel API tokens.create_with_contents_secret()toAbsoluteSystemPaththat sets0o600atomically at creation time viaOpenOptions::mode(), and explicitly tightens permissions on pre-existing filesturbo login, auth token refresh (write_to_auth_file), and logout config rewritecreate_with_contents(no POSIX permission semantics)Testing
New tests verify:
0o6000o644files are tightened to0o600on overwritewrite_to_auth_fileproduces0o600end-to-endAll existing tests in
turbopath,turborepo-auth, andturborepo-libpass.