security: enforce 0o600 permissions on WhatsApp credential files (#10529)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 4f10b7dc63 Co-authored-by: abdelsfane <32418586+abdelsfane@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete
2026-05-08 00:31:24 +00:00 · 2026-02-13 08:02:15 -07:00
parent 945d302956
commit c60780ba20
3 changed files with 16 additions and 0 deletions
--- a/src/web/auth-store.ts
+++ b/src/web/auth-store.ts
@@ -68,6 +68,11 @@ export function maybeRestoreCredsFromBackup(authDir: string): void {
    // Ensure backup is parseable before restoring.
    JSON.parse(backupRaw);
    fsSync.copyFileSync(backupPath, credsPath);
+    try {
+      fsSync.chmodSync(credsPath, 0o600);
+    } catch {
+      // best-effort on platforms that support it
+    }
    logger.warn({ credsPath }, "restored corrupted WhatsApp creds.json from backup");
  } catch {
    // ignore
--- a/src/web/session.ts
+++ b/src/web/session.ts
@@ -73,6 +73,11 @@ async function safeSaveCreds(
      try {
        JSON.parse(raw);
        fsSync.copyFileSync(credsPath, backupPath);
+        try {
+          fsSync.chmodSync(backupPath, 0o600);
+        } catch {
+          // best-effort on platforms that support it
+        }
      } catch {
        // keep existing backup
      }
@@ -82,6 +87,11 @@ async function safeSaveCreds(
  }
  try {
    await Promise.resolve(saveCreds());
+    try {
+      fsSync.chmodSync(resolveWebCredsPath(authDir), 0o600);
+    } catch {
+      // best-effort on platforms that support it
+    }
  } catch (err) {
    logger.warn({ error: String(err) }, "failed saving WhatsApp creds");
  }