Skip to content

[security-fix] Fix incorrect file permissions in compile_orchestrator.go (Alert #384)#8562

Merged
pelikhan merged 1 commit intomainfrom
main-9071ab61423a7931
Jan 2, 2026
Merged

[security-fix] Fix incorrect file permissions in compile_orchestrator.go (Alert #384)#8562
pelikhan merged 1 commit intomainfrom
main-9071ab61423a7931

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jan 2, 2026

Security Fix: Incorrect File Permissions in Campaign Orchestrator

Alert Number: #384
Severity: Medium
Rule: G306 - Expect WriteFile permissions to be 0600 or less
Tool: gosec (Golang security checks)
Location: pkg/cli/compile_orchestrator.go:176

Vulnerability Description

The buildCampaignOrchestrator function in pkg/cli/compile_orchestrator.go was writing the generated campaign orchestrator markdown file with 0644 permissions (world-readable). Security best practice recommends using 0600 (owner-only) permissions or less for all file writes to follow the principle of least privilege.

Fix Applied

Changed os.WriteFile permissions from 0644 to 0600 at line 176. This restricts file access to the owner only, preventing unauthorized users from reading the generated campaign orchestrator file.

Before:

if err := os.WriteFile(orchestratorPath, []byte(content), 0644); err != nil {

After:

// Write with restrictive permissions (0600) to follow security best practices
if err := os.WriteFile(orchestratorPath, []byte(content), 0600); err != nil {

Security Best Practices

Principle of Least Privilege: Files should have the minimum permissions necessary
Default Restrictive Permissions: Start with restrictive permissions (0600) and only relax if needed
Consistent Security Posture: Apply secure defaults across all file operations

Testing Considerations

Build succeeded: go build ./pkg/cli/... passes without errors
No breaking changes: The change only affects file permissions, not functionality
Minimal change: Only updated file permission parameter and added explanatory comment

Impact Assessment

Risk: Minimal
Breaking Changes: None
Backwards Compatibility: Full
Performance: No impact

The fix only affects file permissions when generating campaign orchestrator files. Existing files are unaffected. The restrictive permissions are appropriate for generated workflow files.

Files Modified

  • pkg/cli/compile_orchestrator.go: Changed file permissions from 0644 to 0600 at line 176

References

🤖 Generated by Security Fix Agent in workflow run 20650783794

AI generated by Security Fix PR

AI generated by Security Fix PR

@github-actions @claude
security: fix incorrect file permissions in compile_orchestrator.go (…
32980e6 
…Alert #384)

Changed os.WriteFile permissions from 0644 to 0600 for campaign orchestrator
file generation to follow security best practices and principle of least privilege.

🤖 Generated with Claude Code(https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@pelikhan pelikhan marked this pull request as ready for review January 2, 2026 04:29
@pelikhan pelikhan merged commit 535d06c into main Jan 2, 2026
4 checks passed
@pelikhan pelikhan deleted the main-9071ab61423a7931 branch January 2, 2026 04:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pelikhan