fix(security): restrict temp file permissions in send_matrix_email (#3239)

Set umask 077 before mktemp so the temp .ts file is created with 0600 permissions, preventing other users on shared systems from reading it. Umask is restored immediately after file creation. Agent: code-health Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-28 03:49:31 +00:00 · 2026-04-08 01:33:34 -07:00 · 2026-04-08 01:33:34 -07:00 · 1745b78689
commit 1745b78689
parent 7e44923fb9
1 changed files with 4 additions and 1 deletions
--- a/sh/e2e/e2e.sh
+++ b/sh/e2e/e2e.sh
@ -576,8 +576,11 @@ send_matrix_email() {
    done
  done

-  local ts_file
+  local ts_file old_umask
+  old_umask=$(umask)
+  umask 077
  ts_file=$(mktemp /tmp/e2e-email-XXXXXX.ts)
+  umask "${old_umask}"

  cat > "${ts_file}" << 'TS_EOF'
 const results = (process.env._E2E_RESULTS ?? "").split(",").filter(Boolean);