Merge pull request #818 from pjbgf/fs-perms

Paulo Gomes · web-flow · commit 22c9e2e85f6e · 2022-07-07T10:42:20.000+01:00
Decrease fs perms to 0o700
diff --git a/controllers/storage.go b/controllers/storage.go
@@ -112,7 +112,7 @@ func (s Storage) SetHostname(URL string) string {
 // MkdirAll calls os.MkdirAll for the given v1beta1.Artifact base dir.
 func (s *Storage) MkdirAll(artifact sourcev1.Artifact) error {
 	dir := filepath.Dir(s.LocalPath(artifact))
-	return os.MkdirAll(dir, 0o770)
+	return os.MkdirAll(dir, 0o700)
 }
 
 // RemoveAll calls os.RemoveAll for the given v1beta1.Artifact base dir.
@@ -432,7 +432,7 @@ func (s *Storage) Archive(artifact *sourcev1.Artifact, dir string, filter Archiv
 		return err
 	}
 
-	if err := os.Chmod(tmpName, 0o640); err != nil {
+	if err := os.Chmod(tmpName, 0o600); err != nil {
 		return err
 	}
 
diff --git a/main.go b/main.go
@@ -342,7 +342,7 @@ func mustInitStorage(path string, storageAdvAddr string, artifactRetentionTTL ti
 	if path == "" {
 		p, _ := os.Getwd()
 		path = filepath.Join(p, "bin")
-		os.MkdirAll(path, 0o770)
+		os.MkdirAll(path, 0o700)
 	}
 
 	storage, err := controllers.NewStorage(path, storageAdvAddr, artifactRetentionTTL, artifactRetentionRecords)
diff --git a/tests/fuzz/gitrepository_fuzzer.go b/tests/fuzz/gitrepository_fuzzer.go
@@ -120,7 +120,7 @@ func ensureDependencies() error {
 	// Output all embedded testdata files
 	embedDirs := []string{"testdata/crd", "testdata/certs"}
 	for _, dir := range embedDirs {
-		err := os.MkdirAll(dir, 0o750)
+		err := os.MkdirAll(dir, 0o700)
 		if err != nil {
 			return fmt.Errorf("mkdir %s: %v", dir, err)
 		}
@@ -139,7 +139,7 @@ func ensureDependencies() error {
 				return fmt.Errorf("reading embedded file %s: %v", fileName, err)
 			}
 
-			os.WriteFile(fileName, data, 0o640)
+			os.WriteFile(fileName, data, 0o600)
 			if err != nil {
 				return fmt.Errorf("writing %s: %v", fileName, err)
 			}
@@ -494,7 +494,7 @@ func createRandomFiles(f *fuzz.ConsumeFuzzer, fs billy.Filesystem, wt *git.Workt
 			return errors.New("Dir contains '..'")
 		}
 
-		err = fs.MkdirAll(dirPath, 0o770)
+		err = fs.MkdirAll(dirPath, 0o700)
 		if err != nil {
 			return errors.New("Could not create the subDir")
 		}

Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ func (s Storage) SetHostname(URL string) string {`
`112`	`112`	`// MkdirAll calls os.MkdirAll for the given v1beta1.Artifact base dir.`
`113`	`113`	`func (s *Storage) MkdirAll(artifact sourcev1.Artifact) error {`
`114`	`114`	`dir := filepath.Dir(s.LocalPath(artifact))`
`115`		`- return os.MkdirAll(dir, 0o770)`
	`115`	`+ return os.MkdirAll(dir, 0o700)`
`116`	`116`	`}`
`117`	`117`
`118`	`118`	`// RemoveAll calls os.RemoveAll for the given v1beta1.Artifact base dir.`
`@@ -432,7 +432,7 @@ func (s Storage) Archive(artifact sourcev1.Artifact, dir string, filter Archiv`
`432`	`432`	`return err`
`433`	`433`	`}`
`434`	`434`
`435`		`- if err := os.Chmod(tmpName, 0o640); err != nil {`
	`435`	`+ if err := os.Chmod(tmpName, 0o600); err != nil {`
`436`	`436`	`return err`
`437`	`437`	`}`
`438`	`438`
Original file line number	Diff line number	Diff line change
`@@ -342,7 +342,7 @@ func mustInitStorage(path string, storageAdvAddr string, artifactRetentionTTL ti`
`342`	`342`	`if path == "" {`
`343`	`343`	`p, _ := os.Getwd()`
`344`	`344`	`path = filepath.Join(p, "bin")`
`345`		`- os.MkdirAll(path, 0o770)`
	`345`	`+ os.MkdirAll(path, 0o700)`
`346`	`346`	`}`
`347`	`347`
`348`	`348`	`storage, err := controllers.NewStorage(path, storageAdvAddr, artifactRetentionTTL, artifactRetentionRecords)`
Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ func ensureDependencies() error {`
`120`	`120`	`// Output all embedded testdata files`
`121`	`121`	`embedDirs := []string{"testdata/crd", "testdata/certs"}`
`122`	`122`	`for _, dir := range embedDirs {`
`123`		`- err := os.MkdirAll(dir, 0o750)`
	`123`	`+ err := os.MkdirAll(dir, 0o700)`
`124`	`124`	`if err != nil {`
`125`	`125`	`return fmt.Errorf("mkdir %s: %v", dir, err)`
`126`	`126`	`}`
`@@ -139,7 +139,7 @@ func ensureDependencies() error {`
`139`	`139`	`return fmt.Errorf("reading embedded file %s: %v", fileName, err)`
`140`	`140`	`}`
`141`	`141`
`142`		`- os.WriteFile(fileName, data, 0o640)`
	`142`	`+ os.WriteFile(fileName, data, 0o600)`
`143`	`143`	`if err != nil {`
`144`	`144`	`return fmt.Errorf("writing %s: %v", fileName, err)`
`145`	`145`	`}`
`@@ -494,7 +494,7 @@ func createRandomFiles(f fuzz.ConsumeFuzzer, fs billy.Filesystem, wt git.Workt`
`494`	`494`	`return errors.New("Dir contains '..'")`
`495`	`495`	`}`
`496`	`496`
`497`		`- err = fs.MkdirAll(dirPath, 0o770)`
	`497`	`+ err = fs.MkdirAll(dirPath, 0o700)`
`498`	`498`	`if err != nil {`
`499`	`499`	`return errors.New("Could not create the subDir")`
`500`	`500`	`}`