Missing .gitignore entries for OAuth tokens and cache files

[tembo]

Security Vulnerability Report

Severity: High

Vulnerability Type: Sensitive Data Exposure

Affected Files and Lines

• .gitignore - Missing entries
• src/services/x-auth.ts - Line 34, 189-203

Code Snippet

// src/services/x-auth.ts:189-203
private saveTokens(tokens: XTokens): void {
  let store: XTokensStore = {};
  if (existsSync(this.tokensPath)) {
    try {
      const data = readFileSync(this.tokensPath, 'utf-8');
      store = JSON.parse(data);
    } catch (error) {
      // Ignore parse errors, will overwrite
    }
  }
  store.x = tokens;
  // Write with restrictive permissions (owner read/write only) to protect OAuth tokens
  writeFileSync(this.tokensPath, JSON.stringify(store, null, 2), { mode: 0o600 });
}

Description

The .gitignore file is missing entries for several sensitive files:

• .shippost-tokens.json (OAuth tokens for X/Twitter API)
• .shippost-impressions-cache.json (contains cached API data)
• .shippost-stats-cache.json (contains cached statistics)
• .shippost-skipped-tweets.json (contains tweet IDs and timestamps)
• .ship-blog-state.json (contains processed tweet state)

While the code attempts to protect tokens with file permissions (0o600), if a user accidentally runs git add . or has git configuration that commits hidden files, OAuth tokens could be exposed in git history permanently.

Impact

• OAuth tokens could be exposed in git history
• Tokens cannot be removed from git history without force-pushing
• Compromised tokens could allow attackers to post on behalf of users

Recommended Fix

Add the following entries to .gitignore:

# OAuth tokens (sensitive)
.shippost-tokens.json

# API caches (may contain sensitive data)
.shippost-impressions-cache.json
.shippost-stats-cache.json
.shippost-skipped-tweets.json
.ship-blog-state.json

References

• OWASP - Sensitive Data Exposure

[tembo]

The .gitignore currently has entries for the older .t2p-tokens.json and .t2p-state.json naming convention (lines 26-29), but you're right that the newer .shippost-* files are missing.

Here's where each file is created:

• .shippost-tokens.json - src/services/x-auth.ts:34
• .shippost-stats-cache.json - src/commands/stats.ts:11
• .shippost-impressions-cache.json - src/commands/reply.ts:298
• .shippost-skipped-tweets.json - src/commands/reply.ts:16
• .ship-blog-state.json - src/commands/blog.ts:12

You could also consider a glob pattern like .shippost-*.json and .ship-*.json to catch any future files following this naming convention, which would be more maintainable than listing each file individually.