[ARCH-327] Address security comments. 2#1760
Conversation
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
✅ API Diff Results - No breaking changes |
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
product-security-plaid-production
Bot
requested review from
CL-Andrew and
krehermann
There was a problem hiding this comment.
Pull request overview
This PR addresses security concerns by replacing a third-party atomic file writing library with an internal implementation that provides explicit control over file permissions. The changes remove the dependency on github.com/natefinch/atomic and introduce a custom atomic file writing solution that ensures sensitive keystore files are created with secure permissions (0600).
Key Changes:
- Implemented custom atomic file writing functionality with explicit permission control
- Removed external dependency
github.com/natefinch/atomicfrom the project - Added test coverage for the new atomic file writing implementation
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| keystore/atomicfile/write.go | New atomic file writing implementation with configurable file permissions |
| keystore/atomicfile/write_test.go | Test coverage for the atomic file write functionality |
| keystore/file.go | Updated to use internal atomic file writer with explicit 0600 permissions |
| keystore/go.mod | Removed github.com/natefinch/atomic dependency |
| keystore/internal/raw_test.go | Added test assertion for hexadecimal formatting of raw data |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
| // WriteFile atomically writes the contents of r to the specified filepath with the given mode. | ||
| // This is a copy of https://github.com/natefinch/atomic/blob/master/atomic.go with minor modifications allowing | ||
| // to set mode of the written file. If the file already exists, its mode is preserved. | ||
| func WriteFile(filename string, r io.Reader, mode os.FileMode) (err error) { |
There was a problem hiding this comment.
I noticed there's an options based here as well https://github.com/natefinch/atomic/pull/18/files - seems slightly better and we could just use it directly?
There was a problem hiding this comment.
Yeah if we can, but we shouldn't import a reference that can be deleted.
There was a problem hiding this comment.
yeah sorry I meant just copy paste the solution there, not depend on it
There was a problem hiding this comment.
Unfortunately, we cannot just copy paste solution here - we still need 1. to fix error output/handling (to make the linter happy), 2. use os.Rename instead of cross-platform Replace. Also, it seems that the copy is just https://github.com/sdassow 's PR - why would we trust it to be better than the current implementation?
There was a problem hiding this comment.
I'm not trusting it to be better, I'm saying the options with sane defaults approach implemented there is slightly better. Its a nit though, doesn't matter we can proceed with this
There was a problem hiding this comment.
thanks, I have moved it to internal for now
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
pavel-raykov
had a problem deploying
to
integration
GitHub Actions
Error
pavel-raykov
force-pushed
the
address-sec2
branch
from
3e2482c to
ddc5dce
Compare
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
pavel-raykov
temporarily deployed
to
integration
GitHub Actions
Inactive
connorwstein
temporarily deployed
to
integration
GitHub Actions
Inactive
connorwstein
temporarily deployed
to
integration
GitHub Actions
Inactive
connorwstein
temporarily deployed
to
integration
GitHub Actions
Inactive
* Minor. * Minor. * Minor. * Minor. * Minor. * Minor. * Minor. --------- Co-authored-by: Connor Stein <connor.stein2@gmail.com>
No description provided.