From 398efdf9c4641449cc97302cdcf230792ec0f886 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 4 Jan 2026 08:14:32 +0000 Subject: [PATCH] Security fix: Change directory permissions from 0755 to 0750 in logs_download.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes alerts #461 and #460 by using more restrictive directory permissions (owner+group only) instead of world-readable permissions. This follows the principle of least privilege for log artifact directories. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- pkg/cli/logs_download.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/cli/logs_download.go b/pkg/cli/logs_download.go index 5d879e2c5e5..e296b660f39 100644 --- a/pkg/cli/logs_download.go +++ b/pkg/cli/logs_download.go @@ -149,15 +149,15 @@ func flattenUnifiedArtifact(outputDir string, verbose bool) error { destPath := filepath.Join(outputDir, relPath) if info.IsDir() { - // Create directory in destination - if err := os.MkdirAll(destPath, 0755); err != nil { + // Create directory in destination with owner+group permissions only (0750) + if err := os.MkdirAll(destPath, 0750); err != nil { return fmt.Errorf("failed to create directory %s: %w", destPath, err) } logsDownloadLog.Printf("Created directory: %s", destPath) } else { // Move file to destination - // Ensure parent directory exists - if err := os.MkdirAll(filepath.Dir(destPath), 0755); err != nil { + // Ensure parent directory exists with owner+group permissions only (0750) + if err := os.MkdirAll(filepath.Dir(destPath), 0750); err != nil { return fmt.Errorf("failed to create parent directory for %s: %w", destPath, err) }