Summary
Found via code audit.
Bug 1: Self-update without checksum verification (HIGH)
File: `internal/cli/root.go`, lines 255-376
`selfUpdate()` downloads a binary from GitHub and replaces the current executable without verifying any checksum or signature. A compromised release or MITM via corporate proxy could replace the binary with malware.
Fix: Verify SHA-256 checksum file alongside the binary before replacing.
Bug 2: Session files written world-readable (MEDIUM)
Files: `internal/session/session.go`:232, `internal/worktree/worktree.go`:69
Session files (containing conversation history with potential secrets/API keys) use mode `0644`.
Fix: Use `0600`.
Bug 3: Corrupted permissions file defaults to permissive (MEDIUM)
File: `internal/config/permissions.go`, line 40
`json.Unmarshal` error is silently ignored. A corrupted permissions file results in an empty (permissive) ruleset.
Found via code audit.
Summary
Found via code audit.
Bug 1: Self-update without checksum verification (HIGH)
File: `internal/cli/root.go`, lines 255-376
`selfUpdate()` downloads a binary from GitHub and replaces the current executable without verifying any checksum or signature. A compromised release or MITM via corporate proxy could replace the binary with malware.
Fix: Verify SHA-256 checksum file alongside the binary before replacing.
Bug 2: Session files written world-readable (MEDIUM)
Files: `internal/session/session.go`:232, `internal/worktree/worktree.go`:69
Session files (containing conversation history with potential secrets/API keys) use mode `0644`.
Fix: Use `0600`.
Bug 3: Corrupted permissions file defaults to permissive (MEDIUM)
File: `internal/config/permissions.go`, line 40
`json.Unmarshal` error is silently ignored. A corrupted permissions file results in an empty (permissive) ruleset.
Found via code audit.