From 249098a587b6b0eab9547b683b01f3b3e8c5d595 Mon Sep 17 00:00:00 2001
From: Alice Gaudon <alice@gaudon.pro>
Date: Wed, 15 Jul 2020 15:13:40 +0200
Subject: [PATCH] Enforce config file permissions

---
 src/Application.ts | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/Application.ts b/src/Application.ts
index a9bb87f..fc830bd 100644
--- a/src/Application.ts
+++ b/src/Application.ts
@@ -11,6 +11,8 @@ import {Type} from "./Utils";
 import LogRequestsComponent from "./components/LogRequestsComponent";
 import {ValidationBag} from "./db/Validator";
 import config from "config";
+import * as fs from "fs";
+import SecurityError from "./SecurityError";
 import TemplateError = lib.TemplateError;
 
 export default abstract class Application {
@@ -177,6 +179,16 @@ export default abstract class Application {
     }
 
     private async checkSecuritySettings(): Promise<void> {
+        // Check config file permissions
+        for (const file of fs.readdirSync('config')) {
+            const stats = fs.lstatSync(file);
+            if (stats.uid !== process.getuid())
+                throw new SecurityError(file + ' is not owned by this process (' + process.getuid() + ').');
+            if (stats.mode !== 400)
+                throw new SecurityError(file + ' is not chmod 400.');
+        }
+
+        // Check security fields
         for (const component of this.components) {
             await component.checkSecuritySettings();
         }