TOCTOU Race Condition in fs_util::atomic_write Leads to Local Plaintext Secret Leakage #401
Description
Vulnerability Type: Time-of-Check to Time-of-Use (TOCTOU) Race Condition / Insecure File Permissions Component:
src/fs_util.rs
,
src/credential_store.rs
,
src/oauth_config.rs
Details: The
gws
CLI uses
atomic_write
and
atomic_write_async
in
src/fs_util.rs
to persist sensitive information like client_secret.json and encrypted OAuth tokens (credentials.enc).
Currently, these functions write the data to a temporary file (e.g., client_secret.json.tmp) using the default system umask (often 0644 or 0666), and then rename it into place. The permissions are only tightened to 0600 after the file has been renamed (e.g., in oauth_config.rs:88).
Impact: A local attacker running a script that watches the ~/.config/gws/ directory via inotify can open the temporary file or the renamed file before the chmod 0o600 is applied. This allows a low-privileged user on a shared system to exfiltrate the victim's Google Workspace plaintext OAuth client secrets or encrypted credential material.
Proposed Fix: The temporary file must be created with secure 0o600 permissions atomically at creation time using std::os::unix::fs::OpenOptionsExt, completely eliminating the TOCTOU window. I have a patch ready to submit