Skip to content

[security-fix] Fix incorrect file permissions for MCP gateway config containing API keys#8024

Merged
pelikhan merged 1 commit intomainfrom
main-9c0e4ce3ff9ddf96
Dec 29, 2025
Merged

[security-fix] Fix incorrect file permissions for MCP gateway config containing API keys#8024
pelikhan merged 1 commit intomainfrom
main-9c0e4ce3ff9ddf96

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Dec 29, 2025

Security Fix: Incorrect File Permissions for MCP Gateway Config

Alert Number: #391
Severity: Medium
Rule: G306 - Expect WriteFile permissions to be 0600 or less

Vulnerability Description

The MCP gateway config file was being written with permissions 0644 (readable by all users), despite containing sensitive API keys in the Authorization headers. This could allow unauthorized users on the same system to read API keys from the config file.

Location: pkg/awmg/gateway.go:444

Fix Applied

Changed file permissions from 0644 to 0600 when writing the MCP gateway config file. This restricts access to the file owner only, preventing unauthorized access to sensitive API keys.

Changes:

  • Modified os.WriteFile(configPath, data, 0644) to os.WriteFile(configPath, data, 0600)
  • Added explanatory comment about why restricted permissions are needed

Security Best Practices

  • Principle of Least Privilege: Config files containing sensitive credentials should have minimal permissions (0600 = owner read/write only)
  • Defense in Depth: Even if the file is in a protected directory, restricting file permissions provides an additional security layer
  • Compliance: Many security frameworks (PCI-DSS, HIPAA) require restricted permissions on files containing sensitive data

Testing Considerations

  • Verify that the gateway can still read and write its config file with 0600 permissions
  • Test that the config rewrite functionality works correctly after this change
  • Confirm that non-owner users cannot read the config file

Impact

This is a minimal, surgical change that only affects the file permissions when writing the MCP gateway config. No functional changes to the code logic.

AI generated by Security Fix PR

@github-actions @claude
Security fix: Restrict MCP gateway config file permissions to 0600
da6b0d8 
Fix for security alert #391 (gosec G306)

Changed file permissions from 0644 to 0600 when writing MCP gateway
config file containing sensitive API keys. This prevents unauthorized
users from reading the config file.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@pelikhan pelikhan marked this pull request as ready for review December 29, 2025 04:31
@pelikhan pelikhan merged commit a9539ad into main Dec 29, 2025
4 checks passed
@pelikhan pelikhan deleted the main-9c0e4ce3ff9ddf96 branch December 29, 2025 05:40
@github-actions github-actions bot mentioned this pull request Dec 29, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

Assignees

No one assigned

Labels

automated-fix security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pelikhan