Add warning to overly permissive config file
This commit is contained in:
parent
779aa7aacc
commit
93d90ba90b
GPG key ID:
0A400FFE10097C30
1 changed files with 31 additions and 5 deletions
36
src/main.rs
36
src/main.rs
|
|
@ -5,6 +5,7 @@ use std::fmt::{Debug, Display};
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
use std::io::{self, IsTerminal};
|
use std::io::{self, IsTerminal};
|
||||||
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
|
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
|
||||||
|
use std::os::unix::fs::PermissionsExt;
|
||||||
use std::path::{Path, PathBuf};
|
use std::path::{Path, PathBuf};
|
||||||
use std::process::ExitCode;
|
use std::process::ExitCode;
|
||||||
use std::time::Duration;
|
use std::time::Duration;
|
||||||
|
|
@ -491,20 +492,45 @@ fn load_config(user_provided_path: Option<PathBuf>) -> Option<Config> {
|
||||||
None
|
None
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[instrument(level = "error", fields(path = %path.as_ref().display()))]
|
||||||
fn load_config_from_path<P: AsRef<Path>>(path: P) -> Option<Config> {
|
fn load_config_from_path<P: AsRef<Path>>(path: P) -> Option<Config> {
|
||||||
let path = path.as_ref();
|
let path = path.as_ref();
|
||||||
|
|
||||||
|
let file = match File::open(path) {
|
||||||
|
Ok(file) => file,
|
||||||
|
Err(e) => {
|
||||||
|
debug!("Unable to read the config file: {e}");
|
||||||
|
return None;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
match file.metadata() {
|
||||||
|
Ok(metadata) => {
|
||||||
|
// mode is a u32, but only the bottom 9 bits represent the
|
||||||
|
// permissions. Mask and keep the bits we care about.
|
||||||
|
let current_mode = metadata.permissions().mode() & 0o777;
|
||||||
|
if current_mode != 0o600 {
|
||||||
|
warn!(
|
||||||
|
found = format!("{:o}", current_mode),
|
||||||
|
expected = "600",
|
||||||
|
"File permissions too broad! Your GLOBAL Cloudflare API key is accessible to all users on the system!"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Err(e) => {
|
||||||
|
warn!("Failed to read metadata for file: {e}");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
match std::fs::read_to_string(&path) {
|
match std::fs::read_to_string(&path) {
|
||||||
Ok(data) => match toml::from_str(&data) {
|
Ok(data) => match toml::from_str(&data) {
|
||||||
Ok(config) => return Some(config),
|
Ok(config) => return Some(config),
|
||||||
Err(err) => {
|
Err(err) => {
|
||||||
debug!(path = %path.display(), "Failed to parse config file: {err}");
|
debug!("Failed to parse config file: {err}");
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
Err(err) => {
|
Err(err) => {
|
||||||
debug!(
|
debug!("Unable to read the config file: {err}",);
|
||||||
path = %path.display(),
|
|
||||||
"Unable to read the config file: {err}",
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
None
|
None
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue