Enforce config file permissions

This commit is contained in:
Alice Gaudon 2020-07-15 15:13:40 +02:00
parent 9ce345d99d
commit 249098a587

View File

@ -11,6 +11,8 @@ import {Type} from "./Utils";
import LogRequestsComponent from "./components/LogRequestsComponent";
import {ValidationBag} from "./db/Validator";
import config from "config";
import * as fs from "fs";
import SecurityError from "./SecurityError";
import TemplateError = lib.TemplateError;
export default abstract class Application {
@ -177,6 +179,16 @@ export default abstract class Application {
}
private async checkSecuritySettings(): Promise<void> {
// Check config file permissions
for (const file of fs.readdirSync('config')) {
const stats = fs.lstatSync(file);
if (stats.uid !== process.getuid())
throw new SecurityError(file + ' is not owned by this process (' + process.getuid() + ').');
if (stats.mode !== 400)
throw new SecurityError(file + ' is not chmod 400.');
}
// Check security fields
for (const component of this.components) {
await component.checkSecuritySettings();
}