headless-sync minor security improvements

2026-06-17 04:35:53 +00:00 · 2026-06-02 17:42:47 +02:00
parent caaf6b3144
commit b90752e0ad
2 changed files with 20 additions and 8 deletions
--- a/apps/ignis-server/server/plugins/headless-sync/auth.js
+++ b/apps/ignis-server/server/plugins/headless-sync/auth.js
@@ -83,15 +83,23 @@ function isAuthenticated(dataDir) {
  return false;
 }

+function writeSecret(file, contents) {
+  fs.writeFileSync(file, contents, { encoding: "utf-8", mode: 0o600 });
+
+  try {
+    fs.chmodSync(file, 0o600);
+  } catch {}
+}
+
 function saveInternal(dataDir, tokenData) {
  const internalFile = getInternalTokenFile(dataDir);
  const dir = path.dirname(internalFile);

  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
  }

-  fs.writeFileSync(internalFile, JSON.stringify(tokenData, null, 2), "utf-8");
+  writeSecret(internalFile, JSON.stringify(tokenData, null, 2));
 }

 function syncToObCli(dataDir, token) {
@@ -101,10 +109,10 @@ function syncToObCli(dataDir, token) {
    const dir = path.dirname(obAuthFile);

    if (!fs.existsSync(dir)) {
-      fs.mkdirSync(dir, { recursive: true });
+      fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
    }

-    fs.writeFileSync(obAuthFile, token, "utf-8");
+    writeSecret(obAuthFile, token);
  } catch {}
 }

--- a/apps/ignis-server/server/plugins/headless-sync/sync-manager.js
+++ b/apps/ignis-server/server/plugins/headless-sync/sync-manager.js
@@ -4,6 +4,7 @@ const { spawn } = require("child_process");
 const { spawnOb, runCommand } = require("./ob-cli");

 const MAX_LOG_ENTRIES = 200;
+const MAX_LOG_LINE = 4096;

 function killProcess(proc) {
  if (!proc) {
@@ -151,10 +152,13 @@ class SyncManager {
      const lines = data.toString().split("\n");

      for (const line of lines) {
-        if (line.trim()) {
-          this.addLog(state, line.trim());
+        const trimmed = line.trim();
+
+        if (trimmed) {
+          const capped = trimmed.slice(0, MAX_LOG_LINE);
+          this.addLog(state, capped);
          state.lastActivity = new Date().toISOString();
-          this.broadcaster.broadcastLog(vaultId, line.trim());
+          this.broadcaster.broadcastLog(vaultId, capped);
        }
      }
    });
@@ -302,7 +306,7 @@ class SyncManager {
  addLog(state, line) {
    state.logs.push({
      timestamp: new Date().toISOString(),
-      line,
+      line: line.slice(0, MAX_LOG_LINE),
    });

    if (state.logs.length > MAX_LOG_ENTRIES) {