Security Vulnerability Report
Severity: High
Type: Insecure Data Storage
OWASP Category: A02:2021 – Cryptographic Failures
Description
While the code attempts to set restrictive permissions (0o600) when saving OAuth tokens, this approach has platform-dependent issues. The mode option is ignored entirely on Windows, leaving tokens world-readable.
Affected Files
src/services/x-auth.ts (Line 203)
Vulnerable Code
private saveTokens(tokens: XTokens): void {
// ... code ...
writeFileSync(this.tokensPath, JSON.stringify(store, null, 2), { mode: 0o600 });
}Platform Issues
- Windows: The
mode option is completely ignored, leaving tokens world-readable
- Timing window: Race condition between file creation and permission setting
- Symbolic links: Permissions could be bypassed via symlink attacks
Attack Scenario (Windows)
REM Attacker on same Windows system
type %USERPROFILE%\.shippost-tokens.json
REM Can read tokens directly - permissions not enforced
Impact
- Exposure of OAuth access tokens and refresh tokens
- Account takeover (attacker can post as the user)
- Credentials leakage on Windows systems
Recommended Fix
Use platform-aware secure file handling:
import { writeFileSync, chmodSync, lstatSync } from 'fs';
import { platform } from 'os';
private saveTokens(tokens: XTokens): void {
const tokenPath = this.tokensPath;
// Check for existing symlinks
try {
if (lstatSync(tokenPath).isSymbolicLink()) {
throw new Error('Token file is a symlink - potential security issue');
}
} catch (err) {
// File doesn't exist yet, which is fine
if ((err as NodeJS.ErrnoException).code !== 'ENOENT') {
throw err;
}
}
writeFileSync(tokenPath, JSON.stringify(store, null, 2), 'utf-8');
// Apply permissions after writing
if (platform() !== 'win32') {
chmodSync(tokenPath, 0o600);
} else {
// On Windows, consider using native encryption
// or keytar for secure credential storage
console.warn('Warning: Token file permissions cannot be restricted on Windows');
}
}For better cross-platform support, consider using keytar or similar for OS-native credential storage.
References
Security Vulnerability Report
Severity: High
Type: Insecure Data Storage
OWASP Category: A02:2021 – Cryptographic Failures
Description
While the code attempts to set restrictive permissions (
0o600) when saving OAuth tokens, this approach has platform-dependent issues. Themodeoption is ignored entirely on Windows, leaving tokens world-readable.Affected Files
src/services/x-auth.ts(Line 203)Vulnerable Code
Platform Issues
modeoption is completely ignored, leaving tokens world-readableAttack Scenario (Windows)
Impact
Recommended Fix
Use platform-aware secure file handling:
For better cross-platform support, consider using
keytaror similar for OS-native credential storage.References