github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-19 18:39:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): set 0o600 on remaining session file write paths

Browse Source 
Follow-up to #18066 — three session file write sites were missed:

- auto-reply/reply/session.ts: forked session transcript header
- pi-embedded-runner/session-manager-init.ts: session file reset
- gateway/server-methods/sessions.ts: compacted transcript rewrite

All now use mode 0o600 consistent with transcript.ts and chat.ts.
This commit is contained in:
Xinhua Gu
2026-02-16 18:32:34 +01:00
committed by Peter Steinberger
parent d4c057f8c1
commit ae0b110e44
3 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/agents/pi-embedded-runner/session-manager-init.ts
View File

@@ -43,7 +43,7 @@ export async function prepareSessionManagerForRun(params: {
if (params.hadSessionFile && header && !hasAssistant) {
// Reset file so the first assistant flush includes header+user+assistant in order.
await fs.writeFile(params.sessionFile, "", "utf-8");
await fs.writeFile(params.sessionFile, "", { encoding: "utf-8", mode: 0o600 });
sm.fileEntries = [header];
sm.byId?.clear?.();
sm.labelsById?.clear?.();

5
src/auto-reply/reply/session.ts
View File

@@ -89,7 +89,10 @@ function forkSessionFromParent(params: {
cwd: manager.getCwd(),
parentSession: parentSessionFile,
};
fs.writeFileSync(sessionFile, `${JSON.stringify(header)}\n`, "utf-8");
fs.writeFileSync(sessionFile, `${JSON.stringify(header)}\n`, {
encoding: "utf-8",
mode: 0o600,
});
return { sessionId, sessionFile };
} catch {
return null;

5
src/gateway/server-methods/sessions.ts
View File

@@ -471,7 +471,10 @@ export const sessionsHandlers: GatewayRequestHandlers = {
const archived = archiveFileOnDisk(filePath, "bak");
const keptLines = lines.slice(-maxLines);
fs.writeFileSync(filePath, `${keptLines.join("\n")}\n`, "utf-8");
fs.writeFileSync(filePath, `${keptLines.join("\n")}\n`, {
encoding: "utf-8",
mode: 0o600,
});
await updateSessionStore(storePath, (store) => {
const entryKey = compactTarget.primaryKey;