Fix SSH config file permissions race condition

- Modified writeFileWithLock to create files with correct permissions immediately - Changed string mode values to proper octal numbers (0o600, 0o400) - This eliminates the race condition where files existed with wrong permissions Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
2025-11-08 15:06:08 +08:00 · 2025-11-07 16:18:49 +00:00 · 2025-11-07 16:18:49 +00:00 · 62831835a5
commit 62831835a5
parent 8998b4078f
3 changed files with 13121 additions and 9998 deletions
--- a/back/services/sshKey.ts
+++ b/back/services/sshKey.ts
@ -26,13 +26,13 @@ export default class SshKeyService {
    if (_exist) {
      config = await fs.readFile(this.sshConfigFilePath, { encoding: 'utf-8' });
    } else {
-      await writeFileWithLock(this.sshConfigFilePath, '', { mode: '600' });
+      await writeFileWithLock(this.sshConfigFilePath, '', { mode: 0o600 });
    }
    if (!config.includes(this.sshConfigHeader)) {
      await writeFileWithLock(
        this.sshConfigFilePath,
        `${this.sshConfigHeader}\n\n${config}`,
-        { mode: '600' },
+        { mode: 0o600 },
      );
    }
  }
@ -46,7 +46,7 @@ export default class SshKeyService {
        path.join(this.sshPath, alias),
        `${key}${os.EOL}`,
        {
-          mode: '400',
+          mode: 0o400,
        },
      );
    } catch (error) {
@ -83,7 +83,7 @@ export default class SshKeyService {
      config,
      {
        encoding: 'utf8',
-        mode: '600',
+        mode: 0o600,
      },
    );
  }
--- a/back/shared/utils.ts
+++ b/back/shared/utils.ts
@ -20,8 +20,10 @@ export async function writeFileWithLock(
    options = { encoding: options };
  }
  if (!(await fileExist(filePath))) {
-    const fileHandle = await open(filePath, 'w');
-    fileHandle.close();
+    // Create the file with the specified mode if provided, otherwise use default
+    const fileMode = options?.mode || 0o666;
+    const fileHandle = await open(filePath, 'w', fileMode);
+    await fileHandle.close();
  }
  const lockfilePath = getUniqueLockPath(filePath);

@ -35,6 +37,7 @@ export async function writeFileWithLock(
    lockfilePath,
  });
  await writeFile(filePath, content, { encoding: 'utf8', ...options });
+  // Ensure the mode is set correctly even if the file already existed
  if (options?.mode) {
    await chmod(filePath, options.mode);
  }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml