Fix validation, file permissions, and temp file handling

ryanfowler · ryanfowler · commit a14a32bb861b · 2026-02-20T18:33:54.000-08:00
- Reject negative timeout values in ParseTimeout
- Fix ParseRedirects error message to say "non-negative"
- Restrict session and update cache directories to 0700
- Restrict update lock file to 0600
- Use os.CreateTemp for atomic metadata writes
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -479,7 +479,7 @@ func (c *Config) ParseQuery(value string) error {
 func (c *Config) ParseRedirects(value string) error {
 	n, err := strconv.Atoi(value)
 	if err != nil || n < 0 {
-		const usage = "must be a positive integer"
+		const usage = "must be a non-negative integer"
 		return core.NewValueError("redirects", value, usage, c.isFile)
 	}
 	c.Redirects = &n
@@ -525,8 +525,8 @@ func (c *Config) ParseSilent(value string) error {
 
 func (c *Config) ParseTimeout(value string) error {
 	secs, err := strconv.ParseFloat(value, 64)
-	if err != nil {
-		return core.NewValueError("timeout", value, "must be a valid number", c.isFile)
+	if err != nil || secs < 0 {
+		return core.NewValueError("timeout", value, "must be a non-negative number", c.isFile)
 	}
 	c.Timeout = new(time.Duration(float64(time.Second) * secs))
 	return nil
diff --git a/internal/session/session.go b/internal/session/session.go
@@ -214,7 +214,7 @@ func (j *sessionJar) Cookies(u *url.URL) []*http.Cookie {
 func getSessionsDir() (string, error) {
 	// Allow override for testing.
 	if dir := os.Getenv("FETCH_INTERNAL_SESSIONS_DIR"); dir != "" {
-		err := os.MkdirAll(dir, 0755)
+		err := os.MkdirAll(dir, 0700)
 		if err != nil {
 			return "", err
 		}
@@ -227,7 +227,7 @@ func getSessionsDir() (string, error) {
 	}
 
 	path := filepath.Join(dir, "fetch", "sessions")
-	err = os.MkdirAll(path, 0755)
+	err = os.MkdirAll(path, 0700)
 	if err != nil {
 		return "", err
 	}
diff --git a/internal/update/update.go b/internal/update/update.go
@@ -468,7 +468,7 @@ func getCacheDir() (string, error) {
 	}
 
 	path := filepath.Join(dir, "fetch")
-	err = os.MkdirAll(path, 0755)
+	err = os.MkdirAll(path, 0700)
 	if err != nil {
 		return "", err
 	}
@@ -483,8 +483,21 @@ func updateLastAttemptTime(dir string, now time.Time) error {
 	}
 
 	path := filepath.Join(dir, "metadata.json")
-	tempPath := path + ".__temp"
-	err = os.WriteFile(tempPath, data, 0666)
+	f, err := os.CreateTemp(dir, ".metadata-*.tmp")
+	if err != nil {
+		return err
+	}
+	tempPath := f.Name()
+	defer func() {
+		// Clean up temp file on error.
+		if err != nil {
+			os.Remove(tempPath)
+		}
+	}()
+	_, err = f.Write(data)
+	if err2 := f.Close(); err == nil {
+		err = err2
+	}
 	if err != nil {
 		return err
 	}
@@ -494,7 +507,7 @@ func updateLastAttemptTime(dir string, now time.Time) error {
 
 func acquireLock(ctx context.Context, p *core.Printer, dir string, block bool) (func(), error) {
 	path := filepath.Join(dir, ".update-lock")
-	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0666)
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0600)
 	if err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ func (j sessionJar) Cookies(u url.URL) []*http.Cookie {`
`214`	`214`	`func getSessionsDir() (string, error) {`
`215`	`215`	`// Allow override for testing.`
`216`	`216`	`if dir := os.Getenv("FETCH_INTERNAL_SESSIONS_DIR"); dir != "" {`
`217`		`- err := os.MkdirAll(dir, 0755)`
	`217`	`+ err := os.MkdirAll(dir, 0700)`
`218`	`218`	`if err != nil {`
`219`	`219`	`return "", err`
`220`	`220`	`}`
`@@ -227,7 +227,7 @@ func getSessionsDir() (string, error) {`
`227`	`227`	`}`
`228`	`228`
`229`	`229`	`path := filepath.Join(dir, "fetch", "sessions")`
`230`		`- err = os.MkdirAll(path, 0755)`
	`230`	`+ err = os.MkdirAll(path, 0700)`
`231`	`231`	`if err != nil {`
`232`	`232`	`return "", err`
`233`	`233`	`}`