Bug Description
Forge stores provider credentials in ~/forge/.credentials.json, but the file is created with permissions that allow users other than the owner to read it.
Observed on my system after provider login:
$ forge --version
forge 2.12.10
$ stat -c "%a %A %U %G %n" "$HOME/forge" "$HOME/forge/.credentials.json"
755 drwxr-xr-x <user> <group> /home/<user>/forge
644 -rw-r--r-- <user> <group> /home/<user>/forge/.credentials.json
Mode 0644 means the credentials file is world-readable. The containing directory is also searchable/readable by group and other users.
This is a security bug, not merely a usability issue: this file stores provider credentials/API keys/tokens, and credential files should not be readable by group or other users. A local multi-user system, shared workstation, compromised low-privilege user, overly broad group membership, or backup/indexing process could expose provider credentials.
I am intentionally not including the file contents because they are sensitive.
Steps to Reproduce
-
Install ForgeCode.
-
Run provider login, for example:
-
Check the credentials file permissions:
stat -c "%a %A %U %G %n" "$HOME/forge" "$HOME/forge/.credentials.json"
-
Observe that ~/forge/.credentials.json is created with permissions such as 0644 / -rw-r--r--.
Expected Behavior
Credential storage should be private to the owning user.
Recommended behavior:
- Create
~/forge/.credentials.json with mode 0600 (-rw-------).
- Create the containing
~/forge directory with mode 0700 (drwx------) if it may contain secrets.
- When rewriting or migrating the credentials file, preserve or enforce private permissions.
- Detect and warn/fix insecure permissions during startup and/or
forge doctor.
Actual Behavior
~/forge/.credentials.json is created with permissions such as:
644 -rw-r--r-- <user> <group> /home/<user>/forge/.credentials.json
This allows users other than the file owner to read provider credentials.
Forge Version
forge 2.12.10
Operating System & Version
Linux 6.6.87.2-microsoft-standard-WSL2 x86_64 GNU/Linux
AI Provider
Other
Model
N/A
Installation Method
Other
Configuration
No configuration contents attached because this report concerns credential-file permissions and the file may contain secrets.
Relevant metadata only:
755 drwxr-xr-x <user> <group> /home/<user>/forge
644 -rw-r--r-- <user> <group> /home/<user>/forge/.credentials.json
Bug Description
Forge stores provider credentials in
~/forge/.credentials.json, but the file is created with permissions that allow users other than the owner to read it.Observed on my system after provider login:
Mode
0644means the credentials file is world-readable. The containing directory is also searchable/readable by group and other users.This is a security bug, not merely a usability issue: this file stores provider credentials/API keys/tokens, and credential files should not be readable by group or other users. A local multi-user system, shared workstation, compromised low-privilege user, overly broad group membership, or backup/indexing process could expose provider credentials.
I am intentionally not including the file contents because they are sensitive.
Steps to Reproduce
Install ForgeCode.
Run provider login, for example:
Check the credentials file permissions:
Observe that
~/forge/.credentials.jsonis created with permissions such as0644/-rw-r--r--.Expected Behavior
Credential storage should be private to the owning user.
Recommended behavior:
~/forge/.credentials.jsonwith mode0600(-rw-------).~/forgedirectory with mode0700(drwx------) if it may contain secrets.forge doctor.Actual Behavior
~/forge/.credentials.jsonis created with permissions such as:This allows users other than the file owner to read provider credentials.
Forge Version
forge 2.12.10
Operating System & Version
Linux 6.6.87.2-microsoft-standard-WSL2 x86_64 GNU/Linux
AI Provider
Other
Model
N/A
Installation Method
Other
Configuration
No configuration contents attached because this report concerns credential-file permissions and the file may contain secrets.
Relevant metadata only: