fauna · yesha-fauna · Dec 8, 2023 · Dec 7, 2023 · Dec 7, 2023 · Dec 7, 2023
@@ -1,4 +1,4 @@
-import { ShellConfig } from "../../lib/config/index";
+import { ShellConfig } from "../../lib/config";
 import { Args, Command } from "@oclif/core";
 import { searchSelect } from "../../lib/search-select";
 

@@ -13,7 +13,8 @@ class RunQueriesCommand extends EvalCommand {
   }
 }
 
-RunQueriesCommand.description = "Run the queries found on the file passed to the command.";
+RunQueriesCommand.description =
+  "Run the queries found on the file passed to the command.";
 
 RunQueriesCommand.examples = [
   "$ fauna run-queries dbname --file=/path/to/queries.fql",

@@ -292,9 +292,9 @@ export class ShellConfig {
       );
       /**
        * If there is no secret flag set we need to ensure we validate we can find a secret
-       * from the endpoint.  Additionally if there is a root config present, we 
-       * want to validate that things line up with the project.  Even if a secret 
-       * flag is set, there could be other properties of the endpoint that we need to 
+       * from the endpoint.  Additionally if there is a root config present, we
+       * want to validate that things line up with the project.  Even if a secret
+       * flag is set, there could be other properties of the endpoint that we need to
        * pull in, url being the current one.
        * The inverse of this is the running from a pipeline scenario where there is a secret
        * set and no root config.  In that case we don't want to validate the project configuration.
@@ -329,9 +329,15 @@ export class ShellConfig {
         )}\n Resolve them by ensuring they have a secret defined or remove them if they are not needed.`,
         ...this.errors,
       ];
-    } else {
-      return [];
     }
+    if (fileExistsWithNonPermission600(getRootConfigPath())) {
+      return [
+        `${getRootConfigPath()} should have 600 permission. Update the permission of this file.`,
+        ...this.errors,
+      ];
+    }
+
+    return [];
   }
 
   /**
@@ -418,3 +424,20 @@ export const fileExists = (filePath: string): boolean => {
   });
   return stat !== undefined && stat.isFile();
 };
+
+export const fileExistsWithNonPermission600 = (
+  filePath: string | undefined
+): boolean => {
+  try {
+    if (filePath === undefined) {
+      return false;
+    }
+    const stat = fs.statSync(filePath);
+
+    // Check if it's a file and has permission 600
+    return stat.isFile() && (stat.mode & 0o777) !== 0o600;
+  } catch (error) {
+    // Handle the case where the file doesn't exist or other errors
+    return false;
+  }
+};
@@ -36,7 +36,9 @@ export class ProjectConfig {
       ProjectConfig.ENVIRONMENT_FIELD_NAME
     )
       ? Object.fromEntries<Environment>(
-          config.objectsIn("environment").map(([k, v]) => [k, new Environment(v)])
+          config
+            .objectsIn("environment")
+            .map(([k, v]) => [k, new Environment(v)])
         )
       : {};
 

@@ -85,7 +85,7 @@ export class RootConfig {
     const config = this.toIni();
 
     const encoded = ini.encode(config);
-    fs.writeFileSync(path, encoded);
+    fs.writeFileSync(path, encoded, { mode: "600" });
   }
 
   toIni() {

@@ -1,5 +1,11 @@
 const { expect, test } = require("@oclif/test");
-const { withOpts, getEndpoint, evalV10, matchFqlReq, withLegacyOpts } = require("../helpers/utils.js");
+const {
+  withOpts,
+  getEndpoint,
+  evalV10,
+  matchFqlReq,
+  withLegacyOpts,
+} = require("../helpers/utils.js");
 const { query: q } = require("faunadb");
 
 describe("eval", () => {
@@ -123,7 +129,9 @@ describe("eval in v10", () => {
     })
     .stdout()
     // --secret is passed by withOpts, and passing a scope with that is allowed.
-    .command(withOpts(["eval", "MyDB", "{ three: 3 }", "--format", "json-tagged"]))
+    .command(
+      withOpts(["eval", "MyDB", "{ three: 3 }", "--format", "json-tagged"])
+    )
     .it("allows setting --secret and scope", (ctx) => {
       expect(JSON.parse(ctx.stdout)).to.deep.equal({ three: { "@int": "3" } });
     });
@@ -143,13 +151,12 @@ describe("eval in v10", () => {
       "--secret",
       `${process.env.FAUNA_SECRET}:MyDB:admin`,
       "--url",
-      getEndpoint()
+      getEndpoint(),
     ])
     .it("allows scoped secrets", (ctx) => {
       expect(JSON.parse(ctx.stdout)).to.deep.equal({ two: { "@int": "3" } });
     });
 
-
   test
     .do(async () => {
       // This can fail if `MyDB` already exists, but thats fine.
@@ -166,10 +173,12 @@ describe("eval in v10", () => {
       "--secret",
       `${process.env.FAUNA_SECRET}:MyDB:admin`,
       "--url",
-      getEndpoint()
+      getEndpoint(),
     ])
     .catch((e) => {
-      expect(e.message).to.equal("Cannot specify database with a secret that contains a database");
+      expect(e.message).to.equal(
+        "Cannot specify database with a secret that contains a database"
+      );
     })
     .it("disallows scoped secrets and a scope argument");
 });
@@ -180,7 +189,7 @@ function mockQuery(api) {
     .post("/", matchFqlReq(q.Now()))
     .reply(200, { resource: new Date() })
     .post("/", matchFqlReq(q.Paginate(q.Collections())))
-    .reply(200, function() {
+    .reply(200, function () {
       const auth = this.req.headers.authorization[0].split(":");
       return {
         resource: {

@@ -54,7 +54,7 @@ module.exports.evalV10 = (query) => {
       query,
     }),
   });
-}
+};
 
 const fqlToJsonString = (fql) => JSON.stringify(q.wrap(fql));
 module.exports.fqlToJsonString = fqlToJsonString;
-Original file line number
+Diff line change
@@ Expand Up / @@ -54,7 +54,7 @@ module.exports.evalV10 = (query) => { @@
           query,
         }),
       });
-    }
+    };
     const fqlToJsonString = (fql) => JSON.stringify(q.wrap(fql));
     module.exports.fqlToJsonString = fqlToJsonString;
@@ Expand Down @@