Add security tests for WriteFile permissions in doctor command

Resolves bd-ee1: Add security tests for WriteFile permissions in doctor command Added comprehensive security tests for the FixGitignore function to verify: - Files are created with 0600 permissions (secure, owner-only read/write) - Existing files with insecure permissions are fixed - Read-only files can be updated (permissions fixed first) - File ownership is correct - Permissions are enforced even on systems that respect umask Also improved FixGitignore implementation to: - Handle read-only files by fixing permissions before writing - Explicitly set permissions after write to ensure 0600 regardless of umask - Maintain secure permissions throughout the operation Tests verify the gosec G306 security concern is properly addressed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-23 21:15:17 -08:00
parent 4f15e66599
commit ae5a4ac6ea
3 changed files with 1044 additions and 684 deletions
--- a/cmd/bd/doctor/gitignore.go
+++ b/cmd/bd/doctor/gitignore.go
@@ -94,10 +94,24 @@ func CheckGitignore() DoctorCheck {
 func FixGitignore() error {
 	gitignorePath := filepath.Join(".beads", ".gitignore")

+	// If file exists and is read-only, fix permissions first
+	if info, err := os.Stat(gitignorePath); err == nil {
+		if info.Mode().Perm()&0200 == 0 { // No write permission for owner
+			if err := os.Chmod(gitignorePath, 0600); err != nil {
+				return err
+			}
+		}
+	}
+
 	// Write canonical template with secure file permissions
 	if err := os.WriteFile(gitignorePath, []byte(GitignoreTemplate), 0600); err != nil {
 		return err
 	}

+	// Ensure permissions are set correctly (some systems respect umask)
+	if err := os.Chmod(gitignorePath, 0600); err != nil {
+		return err
+	}
+
 	return nil
 }