feat: refactor binary structure and expand library exports [5 of 8] #277
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary refactoring: - Extract command routing to src/bin/cli/commands.rs - Simplify src/bin/scope.rs to thin CLI wrapper - Update scope-intercept.rs to use explicit imports Library exports (src/lib.rs): - Add comprehensive crate-level documentation - Export CLI argument types (AnalyzeArgs, DoctorArgs, etc.) - Export capture/logging utilities for CLI tools - Export report builders and renderers - Deprecate prelude module with migration guidance Doctor module improvements: - Add make_prompt_fn for bridging UserInteraction trait - Update output format to use structured tracing fields - Fix if-let chain pattern in cache migration Co-Authored-By: Claude (global.anthropic.claude-opus-4-5-20251101-v1:0) <noreply@anthropic.com>
|
This pull request introduces insecure temporary file handling in src/doctor/commands/run.rs where a hardcoded, world-writable path (/tmp/scope/cache-file.json) is used for cache migration, allowing an attacker to pre-create or symlink that path to sensitive files (e.g., /etc/shadow) so std::fs::copy will follow the symlink and leak sensitive data into the user's cache or let an attacker supply a malicious cache to subvert health checks or overwrite files (including via SCOPE_DOCTOR_CACHE_DIR or dangling symlinks).
Insecure Temporary File Handling in
|
| Vulnerability | Insecure Temporary File Handling |
|---|---|
| Description | The code in src/doctor/commands/run.rs uses a hardcoded, world-writable path /tmp/scope/cache-file.json as a source for cache migration. An attacker can pre-create this directory and file. If they create /tmp/scope/cache-file.json as a symbolic link to a sensitive file (e.g., /etc/shadow), the migration logic will use std::fs::copy, which follows symbolic links for the source argument. This causes the contents of the sensitive file to be copied to the user's new cache directory (typically ~/.cache/scope/cache-file.json). Furthermore, an attacker can provide a malicious cache file to subvert health checks performed by the doctor command, or potentially overwrite files if they can influence the destination cache directory (e.g., via the SCOPE_DOCTOR_CACHE_DIR environment variable or by pre-creating the destination as a dangling symlink). |
scope/src/doctor/commands/run.rs
Lines 54 to 57 in 947cefe
All finding details can be found in the DryRun Security Dashboard.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Part 5 of 8
This is 5/8 of #265
Description of Changes (auto-gen)
Binary refactoring:
Library exports (src/lib.rs):
Doctor module improvements: