From da6b0d8a0113b3d19ba2f9d735619656963c8678 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 29 Dec 2025 04:27:08 +0000 Subject: [PATCH] Security fix: Restrict MCP gateway config file permissions to 0600 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix for security alert #391 (gosec G306) Changed file permissions from 0644 to 0600 when writing MCP gateway config file containing sensitive API keys. This prevents unauthorized users from reading the config file. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- pkg/awmg/gateway.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/awmg/gateway.go b/pkg/awmg/gateway.go index 52c4ce1ecfc..b3a21ba0363 100644 --- a/pkg/awmg/gateway.go +++ b/pkg/awmg/gateway.go @@ -440,8 +440,8 @@ func rewriteMCPConfigForGateway(configPath string, config *MCPGatewayServiceConf gatewayLog.Printf("Writing %d bytes to config file", len(data)) fmt.Fprintln(os.Stderr, console.FormatInfoMessage(fmt.Sprintf("Writing %d bytes to config file", len(data)))) - // Write back to file - if err := os.WriteFile(configPath, data, 0644); err != nil { + // Write back to file with restricted permissions (0600) since it contains sensitive API keys + if err := os.WriteFile(configPath, data, 0600); err != nil { gatewayLog.Printf("Failed to write rewritten config: %v", err) fmt.Fprintln(os.Stderr, console.FormatErrorMessage(fmt.Sprintf("Failed to write rewritten config: %v", err))) return fmt.Errorf("failed to write rewritten config: %w", err)