Description
API keys for Groq and Google Gemini are stored in a plaintext JSON file at ~/.repo2readme_env.json with default system umask permissions. Any process or user on the same machine can read this file and steal both API credentials.
File
repo2readme/config.py (line 15-17)
Current Behavior
def save_env(data):
with open(ENV_PATH, "w") as f:
json.dump(data, f, indent=4)
# No permission restriction - file is created with default umask
Expected Behavior
The config file should be readable only by the owner.
Proposed Fix
Add os.chmod(ENV_PATH, 0o600) after writing the file:
def save_env(data):
with open(ENV_PATH, "w") as f:
json.dump(data, f, indent=4)
os.chmod(ENV_PATH, 0o600) # Owner read/write only
Impact
Prevents credential leakage to other users/processes on multi-user systems or compromised containers.
Additional Context
Import os is already imported in config.py. This is a 2-line fix with no side effects.
Description
API keys for Groq and Google Gemini are stored in a plaintext JSON file at
~/.repo2readme_env.jsonwith default system umask permissions. Any process or user on the same machine can read this file and steal both API credentials.File
repo2readme/config.py(line 15-17)Current Behavior
Expected Behavior
The config file should be readable only by the owner.
Proposed Fix
Add
os.chmod(ENV_PATH, 0o600)after writing the file:Impact
Prevents credential leakage to other users/processes on multi-user systems or compromised containers.
Additional Context
Import
osis already imported inconfig.py. This is a 2-line fix with no side effects.