set secure cache permissions on unix systems

amber-lang · Dec 1, 2024 · eabfbf3 · eabfbf3
1 parent 968c9b6
commit eabfbf3
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/src/compiler/cache.rs b/src/compiler/cache.rs
@@ -1,4 +1,4 @@
-use std::{fs, path::PathBuf};
+use std::{fs::{self, Permissions}, os::unix::fs::PermissionsExt, path::PathBuf};
 
 const GIT_HASH: &'static str = env!("GIT_HASH");
 
@@ -11,6 +11,9 @@ pub fn home_cache() -> Option<PathBuf> {
         home.push("amber");
         if ! home.is_dir() {
             fs::create_dir_all(&home).expect("Couldn't create ~/.cache/amber");
+
+            #[cfg(unix)]
+            fs::set_permissions(&home, Permissions::from_mode(0o700)).expect("Couldn't set permissions to ~/.cache/amber")
         }
         Some(home)
     } else {

diff --git a/src/compiler/cache/parse.rs b/src/compiler/cache/parse.rs
@@ -1,4 +1,4 @@
-use std::{error::Error, fs::{self, File, Metadata}, path::PathBuf, time::SystemTime};
+use std::{error::Error, fs::{self, File, Metadata, Permissions}, os::unix::fs::PermissionsExt, path::PathBuf, time::SystemTime};
 use serde::{Serialize, Deserialize};
 
 use crate::{modules::block::Block, utils::ParserMetadata};
@@ -69,7 +69,10 @@ impl PreparsedFile {
         filename.set_extension(FILE_EXT);
 
         let serialized: Vec<u8> = self.try_into()?;
-        fs::write(filename, serialized)?;
+        fs::write(&filename, serialized)?;
+
+        #[cfg(unix)]
+        fs::set_permissions(&filename, Permissions::from_mode(0o700)).map_err(|x| format!("Cannot set perms to {filename:?}: {x}"))?;
 
         Ok(())
     }

diff --git a/src/compiler/cache/tokenize.rs b/src/compiler/cache/tokenize.rs
@@ -1,4 +1,5 @@
-use std::fs::File;
+use std::fs::{File, Permissions};
+use std::os::unix::fs::PermissionsExt;
 use std::{fs, path::PathBuf};
 use std::time::SystemTime;
 
@@ -109,7 +110,12 @@ impl PretokenizedFile {
 
         if let Some(cache_file) = Self::get_path(&filename, file_meta) {
             let serialized: Vec<u8> = self.try_into()?;
+
             fs::write(&cache_file, serialized).map_err(|x| format!("Cannot write to {cache_file:?}: {x}"))?;
+
+            #[cfg(unix)]
+            fs::set_permissions(&filename, Permissions::from_mode(0o700)).map_err(|x| format!("Cannot set perms to {cache_file:?}: {x}"))?;
+
             Ok(())
         } else {
             Err(String::from("Couldn't get path to saved directory").into())