Merge pull request #8256 from uinstinct/config-0600-perm

fix: use 0600 permissions on config.yaml

Author: tingwai

core/util/paths.ts

@@ -14,6 +14,16 @@ import Types from "../config/types";
 
 dotenv.config();
 
+export function setConfigFilePermissions(filePath: string): void {
+  try {
+    if (os.platform() !== "win32") {
+      fs.chmodSync(filePath, 0o600);
+    }
+  } catch (error) {
+    console.warn(`Failed to set permissions on ${filePath}:`, error);
+  }
+}
+
 const CONTINUE_GLOBAL_DIR = (() => {
   const configPath = process.env.CONTINUE_GLOBAL_DIR;
   if (configPath) {
@@ -117,6 +127,7 @@ export function getConfigYamlPath(ideType?: IdeType): string {
     } else {
       fs.writeFileSync(p, YAML.stringify(defaultConfig));
     }
+    setConfigFilePermissions(p);
   }
   return p;
 }
@@ -255,12 +266,14 @@ function editConfigJson(
 }
 
 function editConfigYaml(callback: (config: ConfigYaml) => ConfigYaml): void {
-  const config = fs.readFileSync(getConfigYamlPath(), "utf8");
+  const configPath = getConfigYamlPath();
+  const config = fs.readFileSync(configPath, "utf8");
   let configYaml = YAML.parse(config);
   // Check if it's an object
   if (typeof configYaml === "object" && configYaml !== null) {
     configYaml = callback(configYaml as any) as any;
-    fs.writeFileSync(getConfigYamlPath(), YAML.stringify(configYaml));
+    fs.writeFileSync(configPath, YAML.stringify(configYaml));
+    setConfigFilePermissions(configPath);
   } else {
     console.warn("config.yaml is not a valid object");
   }

extensions/cli/src/freeTrialTransition.ts

@@ -3,6 +3,7 @@ import * as fs from "fs";
 import * as path from "path";
 
 import chalk from "chalk";
+import { setConfigFilePermissions } from "core/util/paths.js";
 import open from "open";
 
 import { env } from "./env.js";
@@ -32,6 +33,7 @@ async function createOrUpdateConfig(apiKey: string): Promise<void> {
 
   const updatedContent = updateAnthropicModelInYaml(existingContent, apiKey);
   fs.writeFileSync(CONFIG_PATH, updatedContent);
+  setConfigFilePermissions(CONFIG_PATH);
 }
 
 /**

extensions/cli/src/onboarding.ts

@@ -2,6 +2,7 @@ import * as fs from "fs";
 import * as path from "path";
 
 import chalk from "chalk";
+import { setConfigFilePermissions } from "core/util/paths.js";
 
 import { AuthConfig, login } from "./auth/workos.js";
 import { getApiClient } from "./config.js";
@@ -44,6 +45,7 @@ export async function createOrUpdateConfig(apiKey: string): Promise<void> {
 
   const updatedContent = updateAnthropicModelInYaml(existingContent, apiKey);
   fs.writeFileSync(CONFIG_PATH, updatedContent);
+  setConfigFilePermissions(CONFIG_PATH);
 }
 
 export async function runOnboardingFlow(

extensions/vscode/src/commands.ts

@@ -8,16 +8,20 @@ import { EXTENSION_NAME } from "core/control-plane/env";
 import { Core } from "core/core";
 import { walkDirAsync } from "core/indexing/walkDir";
 import { isModelInstaller } from "core/llm";
+import { NextEditLoggingService } from "core/nextEdit/NextEditLoggingService";
 import { startLocalLemonade } from "core/util/lemonadeHelper";
 import { startLocalOllama } from "core/util/ollamaHelper";
-import { getConfigJsonPath, getConfigYamlPath } from "core/util/paths";
+import {
+  getConfigJsonPath,
+  getConfigYamlPath,
+  setConfigFilePermissions,
+} from "core/util/paths";
 import { Telemetry } from "core/util/posthog";
 import * as vscode from "vscode";
 import * as YAML from "yaml";
 
 import { convertJsonToYamlConfig } from "../../../packages/config-yaml/dist";
 
-import { NextEditLoggingService } from "core/nextEdit/NextEditLoggingService";
 import {
   getAutocompleteStatusBarDescription,
   getAutocompleteStatusBarTitle,
@@ -716,6 +720,7 @@ const getCommandsMap: (
 
       const configYamlPath = getConfigYamlPath();
       fs.writeFileSync(configYamlPath, YAML.stringify(configYaml));
+      setConfigFilePermissions(configYamlPath);
 
       // Open config.yaml
       await openEditorAndRevealRange(