HomePhabricator

Require only user-readable config file

Description

Require only user-readable config file

Decorate the config load function to stat the underlying file descriptor
and refuse to operate if it’s group- or world-readable: the config file
contains the secret key and OAuth secrets, which no one else should have
read access to. This would have prevented T286414 [1]; of course, it’s
not very useful for this tool after the fact (unless the configuration
has to be completely recreated for some reason), but I also intend to
add this code to cookiecutter-toolforge [2], and want to test it in this
tool first.

The .flake8 config file gains a further exclusion, because Flake8 has
different error codes for missing blank lines between functions/classes
and missing blank lines after functions/classes (i.e. between them and
non-functions/classes, e.g. between read_private and has_config).

[1]: https://phabricator.wikimedia.org/T286414
[2]: https://github.com/lucaswerkmeister/cookiecutter-toolforge

Details

Provenance
LucasWerkmeisterAuthored on Jul 18 2021, 6:07 PM
Parents
R2362:61b1d0fd93e2: Add Igbo adjective template
Branches
Unknown
Tags
Unknown
ChangeId
None