Skip to content

t4943: apply Gemini review wording to secret temp-file guidance #4952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
marcusquinn wants to merge 2 commits into from
+1 −1
Closed

t4943: apply Gemini review wording to secret temp-file guidance #4952

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
540627a
docs: add explicit mktemp and trap guidance to secret-as-argument fal…
alex-solovyev Mar 15, 2026
bf25812
docs: clarify portable secret temp-file permissions and EXIT trap cle…
marcusquinn Mar 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .agents/prompts/build.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ When referencing specific functions or code include the pattern `file_path:line_
- SAFE: `aidevops secret NAME -- cmd` — injects as env var with automatic output redaction
- SAFE: `SSH_AUTH_SOCK=... ssh ...` — env-based auth, no secret in argv
- The subprocess must read the value from its environment (`getenv()` in C/PHP, `process.env` in Node, `os.environ` in Python, `ENV[]` in Ruby), not from `$1`/`argv`.
- When the target program only accepts secrets as arguments (no env var support), write the secret to a temporary file (mode 0600), pass the file path as the argument, and delete the file immediately after. This is a last resort — prefer programs that support env var or stdin input.
- When the target program only accepts secrets as arguments (no env var support), write the secret to a temporary file (e.g., using `mktemp` to create it and `chmod 0600` to set permissions), pass the file path as the argument, and ensure robust cleanup on script exit (e.g., using a `trap` command on the `EXIT` signal). This is a last resort — prefer programs that support env var or stdin input.
Copy link

@gemini-code-assist gemini-code-assist bot Mar 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The guidance to use mktemp and chmod is a good step towards security, but it introduces a brief time window between file creation and permission modification. During this window, the file exists with default permissions, creating a potential race condition. A more secure pattern is to set the umask to 077 before calling mktemp. This ensures the file is created with 0600 permissions atomically, eliminating the race condition. Using a subshell like (umask 077 && mktemp) can scope the umask change to just that command.

  - When the target program only accepts secrets as arguments (no env var support), write the secret to a temporary file ensuring `0600` permissions at creation (e.g., by setting `umask 077` before calling `mktemp`), pass the file path as the argument, and ensure robust cleanup on script exit (e.g., using a `trap` command on the `EXIT` signal). This is a last resort — prefer programs that support env var or stdin input.

- For SSH/remote commands: `ssh host "ENV_VAR='value' command"` passes the secret in the remote shell's environment, not as an argument to `ssh` itself. Alternatively, use `ssh -o SendEnv=VAR` with server-side `AcceptEnv` configuration.
#
# 8.3 Post-execution secret detection (t4939, layer 2)
Expand Down