From 8068cf1dfe1003053fed8251a58c9f33ac8f2bf2 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 28 Dec 2025 00:29:59 +0000 Subject: [PATCH] Fix file permission vulnerability in MCP gateway config (Alert #391) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Changed WriteFile permissions from 0644 to 0600 - Prevents unauthorized access to config file containing API keys - Addresses gosec G306 security alert - Follows principle of least privilege for sensitive files 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- pkg/awmg/gateway.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/awmg/gateway.go b/pkg/awmg/gateway.go index 52c4ce1ecfc..01c99994092 100644 --- a/pkg/awmg/gateway.go +++ b/pkg/awmg/gateway.go @@ -440,8 +440,9 @@ func rewriteMCPConfigForGateway(configPath string, config *MCPGatewayServiceConf gatewayLog.Printf("Writing %d bytes to config file", len(data)) fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Writing %d bytes to config file", len(data)))) - // Write back to file - if err := os.WriteFile(configPath, data, 0644); err != nil { + // Write back to file with restrictive permissions (0600) since config contains sensitive data (API keys) + // gosec G306: Use 0600 permissions to prevent other users from reading the config file + if err := os.WriteFile(configPath, data, 0600); err != nil { gatewayLog.Printf("Failed to write rewritten config: %v", err) fmt.Fprintln(os.Stderr, console.FormatErrorMessage(fmt.Sprintf("Failed to write rewritten config: %v", err))) return fmt.Errorf("failed to write rewritten config: %w", err)