Skip to content

πŸ›‘οΈ Sentinel: Tighten permissions on downloaded binaries and directories #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ruhdevops merged 1 commit into from
Apr 17, 2026
Merged

πŸ›‘οΈ Sentinel: Tighten permissions on downloaded binaries and directories #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-05-15 - Tighten permissions on downloaded binaries
**Vulnerability:** Downloaded extension and Copilot binaries/directories were created with world-readable permissions (0755/0644).
**Learning:** Default permissions in Go's `osb package often result in world-readable files, which can be a security risk for binaries and configuration data in user directories.
**Prevention:** Explicitly use owner-only permissions (0700 for directories/executables, 0600 for data files) when handling sensitive artifacts in the user's home or data directory.
66 changes: 0 additions & 66 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,41 +50,12 @@ require (
github.com/vmihailenco/msgpack/v5 v5.4.1
github.com/yuin/goldmark v1.7.16
github.com/zalando/go-keyring v0.2.6
<<<<<<< HEAD
golang.org/x/crypto v0.45.0
golang.org/x/sync v0.18.0
golang.org/x/term v0.37.0
golang.org/x/text v0.31.0
=======
<<<<<<< HEAD
golang.org/x/crypto v0.43.0
golang.org/x/sync v0.17.0
<<<<<<< HEAD
golang.org/x/term v0.35.0
golang.org/x/text v0.29.0
google.golang.org/grpc v1.76.0
=======
golang.org/x/term v0.36.0
golang.org/x/text v0.30.0
>>>>>>> main
google.golang.org/grpc v1.75.0
<<<<<<< HEAD
<<<<<<< HEAD
google.golang.org/protobuf v1.36.10
=======
=======
>>>>>>> main
>>>>>>> 129f8b6e3123e3a8e5263cf7ccf067a6dbb2e4a9
google.golang.org/protobuf v1.36.9
=======
golang.org/x/crypto v0.46.0
golang.org/x/sync v0.19.0
golang.org/x/term v0.39.0
golang.org/x/text v0.32.0
google.golang.org/grpc v1.78.0
google.golang.org/protobuf v1.36.11
>>>>>>> main
>>>>>>> main
gopkg.in/h2non/gock.v1 v1.1.2
gopkg.in/yaml.v3 v3.0.1
)
Expand All @@ -101,14 +72,8 @@ require (
github.com/aymerick/douceur v0.2.0 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/catppuccin/go v0.3.0 // indirect
<<<<<<< HEAD
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect
github.com/charmbracelet/bubbletea v1.3.6 // indirect
=======
github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect
github.com/charmbracelet/bubbletea v1.3.10 // indirect
>>>>>>> main
github.com/charmbracelet/colorprofile v0.3.1 // indirect
github.com/charmbracelet/x/ansi v0.10.2 // indirect
github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
Expand All @@ -130,11 +95,6 @@ require (
github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
github.com/fatih/color v1.18.0 // indirect
github.com/gdamore/encoding v1.0.1 // indirect
<<<<<<< HEAD
github.com/go-chi/chi/v5 v5.2.3 // indirect
github.com/go-jose/go-jose/v4 v4.1.2 // indirect
=======
>>>>>>> main
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.24.1 // indirect
Expand Down Expand Up @@ -216,37 +176,11 @@ require (
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel/metric v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
<<<<<<< HEAD
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
<<<<<<< HEAD
golang.org/x/mod v0.29.0 // indirect
golang.org/x/net v0.47.0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/time v0.12.0 // indirect
golang.org/x/tools v0.38.0 // indirect
=======
golang.org/x/mod v0.28.0 // indirect
golang.org/x/net v0.45.0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sys v0.37.0 // indirect
golang.org/x/time v0.12.0 // indirect
golang.org/x/tools v0.37.0 // indirect
>>>>>>> main
google.golang.org/api v0.248.0 // indirect
google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
k8s.io/klog/v2 v2.130.1 // indirect
=======
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/mod v0.30.0 // indirect
golang.org/x/net v0.48.0 // indirect
golang.org/x/sys v0.40.0 // indirect
golang.org/x/tools v0.39.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251222181119-0a764e51fe1b // indirect
>>>>>>> main
)
Loading
Loading