SECURITY: race condition in file creation of file containing access token allows token exfil

[bennetyee]

SPAN-API-Client-Docs/lib/span_auth_utils.py

Line 69 in 1ed1996

with open(path, "w") as f:

The way the .span-auth.json file is created here is to open the file with the default permissions, write the json data into it, and then fix the file permissions so that it's only readable/writable by the user. This has a race condition. The security threat model assumption appears to be that we are on a multi-user machine where an adversary has a user account, since if we are on a single-user machine we don't need to set the access permissions. In this scenario, an adversary process could open the .span-auth.json file between the json.dump and the os.chmod and successfully obtain a read descriptor, since the typical umask value is 0o22 or 0o02, and exfiltrate the access token.

This is not a high severity problem, since the timing has to be right and this only occurs when the panel access is being initialized, but it is a real, exploitable security issue.

One of the ways to address this would be something like

def save_auth_file(data: dict) -> None:
    """Save credentials to file with secure permissions."""
    path = get_auth_file_path()

    # Ensure parent directory exists
    path.parent.mkdir(parents=True, exist_ok=True)

    # Write with restricted permissions, using a custom opener.  This
    # is better than setting umask and restoring the original value
    # afterwards since that is not thread safe.
    def opener(path, flags):
        return os.open(path, flags, stat.S_IRUSR | stat.S_IWUSR)

    with open(path, "w", opener=opener) as f:
        json.dump(data, f, indent=2)

or to use umask. I think open with opener is supposed to be supported on Windows, but I am not 100% positive.

[dcj]

Fix pending — switching to open(..., opener=...) so the file is created with 0o600 atomically.