From 964b4da2f8bb5e0035dc2237dc4bacd081104d73 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 28 Dec 2025 04:28:59 +0000 Subject: [PATCH] Fix file permission vulnerability in MCP gateway config (Alert #391) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changed os.WriteFile permissions from 0644 to 0600 for MCP gateway configuration file to prevent unauthorized access to sensitive API keys. Security issue: The config file contains Authorization: Bearer tokens (line 420) that should only be readable by the file owner. - Changed file permissions from 0644 (rw-r--r--) to 0600 (rw-------) - Added explanatory comment documenting the security requirement - Satisfies gosec G306 requirement (expect WriteFile permissions ≤ 0600) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- pkg/awmg/gateway.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/awmg/gateway.go b/pkg/awmg/gateway.go index 52c4ce1ecfc..01c99994092 100644 --- a/pkg/awmg/gateway.go +++ b/pkg/awmg/gateway.go @@ -440,8 +440,9 @@ func rewriteMCPConfigForGateway(configPath string, config *MCPGatewayServiceConf gatewayLog.Printf("Writing %d bytes to config file", len(data)) fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Writing %d bytes to config file", len(data)))) - // Write back to file - if err := os.WriteFile(configPath, data, 0644); err != nil { + // Write back to file with restrictive permissions (0600) since config contains sensitive data (API keys) + // gosec G306: Use 0600 permissions to prevent other users from reading the config file + if err := os.WriteFile(configPath, data, 0600); err != nil { gatewayLog.Printf("Failed to write rewritten config: %v", err) fmt.Fprintln(os.Stderr, console.FormatErrorMessage(fmt.Sprintf("Failed to write rewritten config: %v", err))) return fmt.Errorf("failed to write rewritten config: %w", err)