Summary
save_session writes LinkedIn session cookies (including the li_at account access token) to disk with default world-readable permissions, allowing any local user to hijack the LinkedIn account.
Location
- File:
src/core/browser.rs
- Line(s): 106–117
Severity
High
Details
std::fs::write(filepath, json) creates files with umask-derived permissions (typically 0o644 — world-readable). Any other process or user on the same system can read the session file and steal the LinkedIn session. No path sanitization is performed on filepath.
Suggested Fix
Use OpenOptions with explicit restrictive permissions:
use std::os::unix::fs::OpenOptionsExt;
let mut file = std::fs::OpenOptions::new()
.write(true).create(true).truncate(true)
.mode(0o600)
.open(filepath)?;
file.write_all(json.as_bytes())?;Also validate that filepath is within an expected directory.
Automated finding by repo-monitor
Summary
save_sessionwrites LinkedIn session cookies (including theli_ataccount access token) to disk with default world-readable permissions, allowing any local user to hijack the LinkedIn account.Location
src/core/browser.rsSeverity
High
Details
std::fs::write(filepath, json)creates files withumask-derived permissions (typically0o644— world-readable). Any other process or user on the same system can read the session file and steal the LinkedIn session. No path sanitization is performed onfilepath.Suggested Fix
Use
OpenOptionswith explicit restrictive permissions:Also validate that
filepathis within an expected directory.Automated finding by repo-monitor