search

oesmith / ralio

A usable command-line client for Rally
https://github.com/oesmith/ralio
30 stars 21 forks source link

Secure .raliorc #44

Open thinkerbot opened 9 years ago

thinkerbot commented 9 years ago

The .raliorc file stores passwords in plaintext but is left open for anyone to read. It probably should be made 0600 so only the user can read the file. I'm pretty sure this is the change that needs to be made (I've never worked with node and so I'm just opening this issue instead of making a proper PR).

diff --git a/bin/ralio b/bin/ralio
index 539b83f..383a553 100755
--- a/bin/ralio
+++ b/bin/ralio
@@ -124,7 +124,7 @@ program
             var fs = require('fs'),
                 path = require('path');

-            fs.writeFile(path.join(process.env.HOME, '.raliorc'), JSON.stringify(ralio_configuration), function(err) {
+            fs.writeFile(path.join(process.env.HOME, '.raliorc'), JSON.stringify(ralio_configuration), {"mode": 0600}, function(err) {
               err ? console.log(err) : console.log("All set! :)".green);
             });

It might also be nice to print a warning to stderr if ralio reads .raliorc and determines it is not secured.