chain-studio/lib
flemming-it 1c306916aa
Some checks failed
Security / Security check (push) Failing after 1s
fix(security): atomic hub-auth-token writes (P1-5)
`hub_auth_token.dart` write() previously did

  await f.writeAsString(token);          // file is now 0644 (umask)
  await Process.run('chmod', ['600', f.path]);

which leaves a TOCTOU window where the file is world-readable
between the writeAsString and the chmod call. On a multi-user
host another user could read the bearer token during that
window.

New flow:

  await tmp.writeAsString(token);        // .tmp file
  await chmod(600, tmp.path);            // restrict mode FIRST
  await tmp.rename(f.path);              // atomic POSIX rename

The destination is never visible with permissive perms. Also
sets `~/.fai/` itself to 0700 on Unix on first creation so
other users on a shared host can't enumerate the directory.

dart analyze clean; flutter test green (12 tests).
Bumped pubspec to 0.49.1.

Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
2026-05-29 17:47:29 +02:00
..
data fix(security): atomic hub-auth-token writes (P1-5) 2026-05-29 17:47:29 +02:00
l10n feat(settings): multi-version uninstall picker + default_scope editor 2026-05-29 00:21:51 +02:00
pages chore(deps): bump file_picker 8→11 + transitive lifts 2026-05-29 07:15:25 +02:00
theme feat(studio): surface provider + sourceKind + versionAdvisory on CapabilityInfo 2026-05-28 10:54:48 +02:00
widgets chore(deps): bump file_picker 8→11 + transitive lifts 2026-05-29 07:15:25 +02:00
main.dart feat(studio): theme-plugin picker + translate-hook wrapper 2026-05-25 23:02:21 +02:00