Athens: Making configuration files that are loaded on the server only readable to the user that it is hosted on

Created on 25 Sep 2018  路  6Comments  路  Source: gomods/athens

Is your feature request related to a problem? Please describe.
We have a configuration file (like exclude/ include filter) stored as a conf file. Currently, the permissions for the file are set by the user and the same set of permissions are carried over to Athens proxy. The result is if a user has 777 permissions on the file, the same will go on proxy making the proxy server vulnerable.

Describe the solution you'd like
We can check in the proxy code to make sure that the permissions are either 0400 or 0600 as per Unix and only then read from it or start throwing an error. This is similar to what Github does.

Describe alternatives you've considered
I have not really considered any other alternatives.

security vote
Source
picture manugupt1

Most helpful comment

Vote for 0600 pre-beta

picture manugupt1 on 25 Sep 2018
👍4

All 6 comments

Vote for 0400 pre-beta

manugupt1 picture manugupt1 on 25 Sep 2018

Vote for 0400 post-beta

manugupt1 picture manugupt1 on 25 Sep 2018

Vote for 0600 pre-beta

manugupt1 picture manugupt1 on 25 Sep 2018
👍4

Vote for 0600 post-beta

manugupt1 picture manugupt1 on 25 Sep 2018

Please leave comments and suggestions if you can suggest anything

manugupt1 picture manugupt1 on 25 Sep 2018

@manugupt1 since this has been open 17+ days, I've put it into v0.1.0 and assigned you. thanks for opening 馃帀 !!

arschles picture arschles on 11 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

arschles picture arschles  路  4Comments
Haiyung picture Haiyung  路  3Comments
arschles picture arschles  路  3Comments
opinionsDazzle picture opinionsDazzle  路  4Comments
robjloranger picture robjloranger  路  3Comments