fix: verify NKey file has secure permissions before reading

Reject NKey files that are readable by group or others (permissions more permissive than 0600). This prevents accidental exposure of private keys through overly permissive file permissions. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-07 04:40:53 +01:00
parent 95fbfb2339
commit f51058964d
3 changed files with 33 additions and 1 deletions
--- a/internal/nats/client_test.go
+++ b/internal/nats/client_test.go
@@ -21,6 +21,29 @@ func TestConnect_InvalidNKeyFile(t *testing.T) {
 	}
 }

+func TestConnect_InsecureNKeyFilePermissions(t *testing.T) {
+	// Create a temp file with insecure permissions
+	tmpDir := t.TempDir()
+	keyFile := filepath.Join(tmpDir, "insecure.nkey")
+	if err := os.WriteFile(keyFile, []byte("test-content"), 0644); err != nil {
+		t.Fatalf("failed to write temp file: %v", err)
+	}
+
+	cfg := Config{
+		URL:      "nats://localhost:4222",
+		NKeyFile: keyFile,
+		Name:     "test",
+	}
+
+	_, err := Connect(cfg)
+	if err == nil {
+		t.Error("expected error for insecure nkey file permissions")
+	}
+	if err != nil && !contains(err.Error(), "insecure permissions") {
+		t.Errorf("expected insecure permissions error, got: %v", err)
+	}
+}
+
 func TestConnect_InvalidNKeySeed(t *testing.T) {
 	// Create a temp file with invalid content
 	tmpDir := t.TempDir()