security: enforce 0o600 permissions on WhatsApp credential files (#10529)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 4f10b7dc63 Co-authored-by: abdelsfane <32418586+abdelsfane@users.noreply.github.com> Co-authored-by: steipete <58493+steipete@users.noreply.github.com> Reviewed-by: @steipete
2026-05-08 05:31:23 +00:00 · 2026-02-13 08:02:15 -07:00
parent 945d302956
commit c60780ba20
3 changed files with 16 additions and 0 deletions
--- a/src/web/auth-store.ts
+++ b/src/web/auth-store.ts
@@ -68,6 +68,11 @@ export function maybeRestoreCredsFromBackup(authDir: string): void {
    // Ensure backup is parseable before restoring.
    JSON.parse(backupRaw);
    fsSync.copyFileSync(backupPath, credsPath);
+    try {
+      fsSync.chmodSync(credsPath, 0o600);
+    } catch {
+      // best-effort on platforms that support it
+    }
    logger.warn({ credsPath }, "restored corrupted WhatsApp creds.json from backup");
  } catch {
    // ignore