Skip to content

Security: harden credentials (drop --password, 0700 dirs, atomic 0600 writes, redact bodies, bump cryptography)#3

Merged
cdamken merged 1 commit into
mainfrom
security/harden-credentials
Jul 8, 2026
Merged

Security: harden credentials (drop --password, 0700 dirs, atomic 0600 writes, redact bodies, bump cryptography)#3
cdamken merged 1 commit into
mainfrom
security/harden-credentials

Conversation

@cdamken

@cdamken cdamken commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Closes #2

Read-only security review fixes (local-file / CLI hardening; no remote exploit path).

Changes

  • M8 — drop --password CLI arg (cli.py): removed the flag (leaked via ps aux//proc/shell history). Password now sourced from the SC_PASSWORD env var or interactive getpass only.
  • M9 — failed-login HTML dump (auth.py::_dump_failed_extraction): no more guessable /tmp fallback — writes to the repo discovery/ dir (dev), else ~/.sc-api/discovery/, else tempfile.mkdtemp(). Dir created mode 0700 (chmod-enforced against umask); state/token/code/nonce params scrubbed from saved HTML.
  • L5/L6 — atomic 0600 writes + 0700 dirs (profiles.py, cookies.py): credentials, cookies, and meta now written via tmp → chmod 0600 → os.replace (no umask race, no partial file); profile/base dirs created 0700.
  • L7 — redact response bodies (auth.py): raw bodies routed through _redact_body/_scrub_sensitive before landing in exception messages.
  • M10 — cryptography bump (pyproject.toml): pinned cryptography>=44.0.1 (CVE-2024-12797).

Verification

  • python3 -m py_compile passes on all 4 edited modules.
  • Smoke tests pass: --password now rejected; dump dir is 0700 and HTML scrubbed; credentials/meta 0600, cookies 0600, profile dir 0700; cookie save→load roundtrip intact.

🤖 Generated with Claude Code

…redact bodies, bump cryptography

Security hardening from the read-only credential/CLI review:

- M8: remove `--password` CLI flag (leaked via ps/proc/shell history);
  password now comes from SC_PASSWORD env var or interactive getpass only.
- M9: failed-login HTML dump now uses ~/.sc-api/discovery (or mkdtemp),
  never a guessable /tmp path; dir created mode 0700; state/token params
  scrubbed from saved HTML.
- L5/L6: profiles.py + cookies.py now write credentials/cookies/meta via
  atomic tmp->chmod 0600->rename (no umask race); profile/base dirs 0700.
- L7: raw response bodies routed through _redact_body/_scrub_sensitive
  before landing in exception messages.
- M10: pin cryptography>=44.0.1 (CVE-2024-12797).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cdamken cdamken merged commit 31ba664 into main Jul 8, 2026
1 check failed
@cdamken cdamken deleted the security/harden-credentials branch July 8, 2026 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: harden credentials (drop --password CLI, 0700 dump/profile dirs, atomic 0600 writes) + bump cryptography

1 participant