fix(update): Ensure that the CLI binary will be executable after an u…

…pdate (#1244) * fix(update): Ensure that the CLI binary will be executable after an update When the downloaded CLI binary cannot be 'moved' into position (i.e. when it is located on a different filesystem from the target location), it is copied, but the permissions need to be set after the copy so that it will be executable. Closes #1168. * Apply review feedback and properly suppress 'gosec' warning.
fastly · Jul 9, 2024 · c2f28dc · c2f28dc
1 parent 07aab14
commit c2f28dc
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/pkg/commands/update/root.go b/pkg/commands/update/root.go
@@ -130,6 +130,16 @@ func (c *RootCommand) Exec(_ io.Reader, out io.Writer) error {
 				})
 				return fmt.Errorf("error 'copying' latest binary in place: %w (following an error 'moving': %w)", err, renameErr)
 			}
+
+			// G302 (CWE-276): Expect file permissions to be 0600 or less
+			// gosec flagged this:
+			// Disabling as the file was not executable without it and we need all users
+			// to be able to execute the binary.
+			// #nosec
+			err := os.Chmod(currentBin, 0o755)
+			if err != nil {
+				return fmt.Errorf("failed to modify permissions after 'copying' latest binary: %w", err)
+			}
 		}
 		return nil
 	})

diff --git a/pkg/github/github.go b/pkg/github/github.go
@@ -372,7 +372,7 @@ func extractBinary(archive, binaryName, dst, assetBase string, nested bool) (bin
 	// Disabling as the file was not executable without it and we need all users
 	// to be able to execute the binary.
 	/* #nosec */
-	err = os.Chmod(extractedBinary, 0o777)
+	err = os.Chmod(extractedBinary, 0o755)
 	if err != nil {
 		return "", fmt.Errorf("failed to modify permissions on extracted binary: %w", err)
 	}