Skip to content

Fix security: credential permissions, CAS validation, token redaction#1028

Merged
jwiegley merged 1 commit into
mainfrom
johnw/review-security-fixes
Apr 16, 2026
Merged

Fix security: credential permissions, CAS validation, token redaction#1028
jwiegley merged 1 commit into
mainfrom
johnw/review-security-fixes

Conversation

@jwiegley
Copy link
Copy Markdown
Contributor

@jwiegley jwiegley commented Apr 9, 2026

  • Create credential files atomically with mode 0600 on Unix to prevent
    a window where they exist with default permissions
  • Validate CAS hashes are hex-only before building query URLs
  • Implement custom Debug for ApiContext to redact auth_token and api_key
  • Replace RefCell with Mutex in MockBackend to derive Send+Sync safely
    instead of using unsafe impl

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

@jwiegley Graphite App
Copy link
Copy Markdown
Contributor Author

jwiegley commented Apr 9, 2026
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced Apr 9, 2026
Merged
Closed
Closed
Closed
Closed
Closed
Closed
@jwiegley jwiegley force-pushed the johnw/review-security-fixes branch from bbff7f0 to eb75b9b Compare April 9, 2026 17:28
@jwiegley jwiegley force-pushed the johnw/review-vscode-extension branch from 29765bf to aefe992 Compare April 9, 2026 17:28
@jwiegley jwiegley force-pushed the johnw/review-security-fixes branch from eb75b9b to 897edee Compare April 9, 2026 20:13
@jwiegley jwiegley force-pushed the johnw/review-vscode-extension branch from aefe992 to 5780c9a Compare April 9, 2026 20:13
@svarlamov svarlamov force-pushed the johnw/review-vscode-extension branch 2 times, most recently from cfb5bd0 to e78647c Compare April 11, 2026 14:50
@svarlamov svarlamov force-pushed the johnw/review-security-fixes branch from 897edee to b43e12d Compare April 11, 2026 14:50
@jwiegley jwiegley changed the base branch from johnw/review-vscode-extension to graphite-base/1028 April 15, 2026 19:52
@jwiegley jwiegley force-pushed the graphite-base/1028 branch from e78647c to b050b15 Compare April 15, 2026 19:52
@jwiegley jwiegley force-pushed the johnw/review-security-fixes branch from b43e12d to 86f70d0 Compare April 15, 2026 19:52
@jwiegley @claude
Fix security: credential permissions, CAS validation, token redaction
7eaef28 
- Create credential files atomically with mode 0600 on Unix to prevent
  a window where they exist with default permissions
- Validate CAS hashes are hex-only before building query URLs
- Implement custom Debug for ApiContext to redact auth_token and api_key
- Replace RefCell with Mutex in MockBackend to derive Send+Sync safely
  instead of using unsafe impl

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jwiegley jwiegley force-pushed the johnw/review-security-fixes branch from 86f70d0 to 7eaef28 Compare April 15, 2026 20:15
@jwiegley jwiegley changed the base branch from graphite-base/1028 to main April 15, 2026 20:15
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 15, 2026

Qodana for JVM

Analyzed project: agent-support/intellij/

2 new problems were found

Inspection name Severity Problems
Non-distinguishable logging calls ◽️ Notice 2

💡 Qodana analysis was run in the pull request mode: only the changed files were checked

View the detailed Qodana report

To be able to view the detailed Qodana report, you can either:

To get *.log files or any other Qodana artifacts, run the action with upload-result option set to true,
so that the action will upload the files as the job artifacts:

      - name: 'Qodana Scan'
        uses: JetBrains/qodana-action@v2025.3.2
        with:
          upload-result: true
Contact Qodana team

Contact us at qodana-support@jetbrains.com

@jwiegley jwiegley marked this pull request as ready for review April 15, 2026 21:46
@jwiegley jwiegley requested a review from svarlamov April 15, 2026 21:46
devin-ai-integration[bot]
devin-ai-integration Bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

@jwiegley jwiegley merged commit e6e150b into main Apr 16, 2026
66 of 76 checks passed
@jwiegley jwiegley deleted the johnw/review-security-fixes branch April 16, 2026 06:40
@jwiegley jwiegley mentioned this pull request Apr 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@svarlamov svarlamov Awaiting requested review from svarlamov

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jwiegley