Skip to content

Code review: flowstate Token file is written before restrictive permissions are applied #8

Description

@ajbeaver

Generated by Offband issue reporting.

Summary

Code review: flowstate Token file is written before restrictive permissions are applied

Routing

  • Repo: offband/FlowState
  • Repo class: public_tool
  • Rule id: code_review.security_surface
  • Candidate key: code-review:flowstate:write-token
  • Category: code-review
  • Severity: warning
  • Review profile: code_review
  • Review target: flowstate
  • Labels: offband-report, weekly, needs-owner, code-review
  • Source: code_review.bounded_ai

Expected

Product repositories should avoid actionable code risks identified by bounded source review.

Observed

src/flowstate_runtime/auth.py:16: _write_token writes the bearer token to disk with path.write_text(...) and only then calls _make_private(path) to chmod it to 0600.

Why It Matters

On systems with a permissive umask, the token file can be created with broader default permissions before chmod is applied, exposing the runtime bearer token to other local users during creation.

Decision Needed

Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.

Policy Source

config/issue-reporting.json: code_review

Evidence

{
  "artifact_path": "<redacted-path>",
  "canonical_topic": "write-token",
  "dedupe_core": "write-token",
  "dedupe_subject": "identifier:write-token",
  "finding": {
    "confidence": "high",
    "finding_class": "security_surface",
    "impact": "On systems with a permissive umask, the token file can be created with broader default permissions before chmod is applied, exposing the runtime bearer token to other local users during creation.",
    "line": 16,
    "owner_decision": "Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.",
    "path": "src/flowstate_runtime/auth.py",
    "summary": "`_write_token` writes the bearer token to disk with `path.write_text(...)` and only then calls `_make_private(path)` to chmod it to `0600`.",
    "title": "Token file is written before restrictive permissions are applied"
  },
  "line": 16,
  "path": "src/flowstate_runtime/auth.py",
  "semantic_topic": "write-token"
}

Suggested Resolution

Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.

Report

  • Report generated: 2026-07-01T09:46:16Z
  • Candidate key: code-review:flowstate:write-token

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions