[security-fix] Fix file permission vulnerability in MCP gateway config (Alert #391)

[github-actions]

Security Fix: Incorrect Default Permissions in MCP Gateway Config

Alert Number: #391
Severity: Medium
Rule: G306 - Expect WriteFile permissions to be 0600 or less
Tool: gosec (Golang security checks)
Location: pkg/awmg/gateway.go:444

Vulnerability Description

Gosec detected that the MCP gateway configuration file was being written with 0644 permissions (readable by owner, group, and others), when it should use 0600 or less. This is a security issue because:

1. Sensitive Data Exposure: The config file contains API keys (line 420: Authorization: Bearer (API_KEY))
2. Unnecessary Access: Group and other users on the system can read the file contents
3. Best Practice Violation: Configuration files with credentials should be owner-readable only

Data Flow:

1. Gateway config contains API keys (line 420)
2. Config marshaled to JSON (line 433)
3. Written to file with 0644 permissions (line 444) ← Vulnerability point
4. File readable by group and other users on the system

Fix Applied

Changed file permissions from 0644 to 0600 for the rewritten MCP gateway config file:

Before:

// Write back to file
if err := os.WriteFile(configPath, data, 0644); err != nil {

After:

// Write back to file with restrictive permissions (0600) since config contains sensitive data (API keys)
// gosec G306: Use 0600 permissions to prevent other users from reading the config file
if err := os.WriteFile(configPath, data, 0600); err != nil {

Security Best Practices Applied

✅ Principle of Least Privilege: File is now owner-readable/writable only
✅ Defense in Depth: Prevents unauthorized access to sensitive configuration
✅ Industry Standard: Follows security best practices for credential storage
✅ G306 Compliance: Satisfies gosec security scanner requirements
✅ No Breaking Changes: Functionality remains identical

Testing

✅ Build succeeded: go build ./pkg/awmg/... passes without errors
✅ No breaking changes: File writing functionality unchanged
✅ Enhanced security: Config file with API keys no longer world-readable
✅ Backwards compatible: Owner can still read/write the file

Impact Assessment

Risk: Minimal
Breaking Changes: None
Backwards Compatibility: Full
Performance: No impact

The fix only changes file permissions from 0644 (rw-r--r--) to 0600 (rw-------). The owner can still read and write the file normally, but group and other users can no longer read sensitive API keys from the config file.

Why This Fix Is Important

1. Protects Credentials: API keys in config file are no longer readable by other users
2. Follows Best Practices: Configuration files with secrets should be owner-only
3. Industry Standards: Aligns with OWASP and security community recommendations
4. Satisfies Security Scanners: Eliminates gosec G306 alert
5. Defense in Depth: Adds an additional layer of protection for sensitive data

Files Modified

• pkg/awmg/gateway.go:
  • Line 443-445: Changed file permissions from 0644 to 0600
  • Added explanatory comment documenting the security requirement

References

• CodeQL Alert: https://github.com/githubnext/gh-aw/security/code-scanning/391
• Gosec G306: Expect WriteFile permissions to be 0600 or less
• CWE-732: Incorrect Permission Assignment for Critical Resource
• OWASP: [Sensitive Data Exposure]((redacted)

---

🤖 Generated by Security Fix Agent in workflow run 20546341210

AI generated by Security Fix PR