Skip to content

--validate-proxies writes credentialed proxy list to world-readable validated_proxies.txt in CWD and never cleans it up #383

Description

@tg12

Summary

The --validate-proxies flow writes the working-proxy list to a fixed file named validated_proxies.txt in the current working directory, with default permissions, and never removes it. Proxy entries commonly embed credentials (scheme://user:pass@host:port), so this silently persists proxy credentials in plaintext to whatever directory the operator happened to run the tool from, and is easy to commit accidentally.

Evidence

  • user_scanner/__main__.py:208-214
    temp_proxy_file = "validated_proxies.txt"
    with open(temp_proxy_file, "w", encoding="utf-8") as f:
        for proxy in working_proxies:
            f.write(proxy + "\n")
    set_proxy_manager(temp_proxy_file)
  • user_scanner/core/helpers.py:158-169ProxyManager._load_proxies preserves explicit schemes, i.e. credentialed proxy URLs (http://user:pass@host) are loaded and therefore written back out verbatim.
  • .gitignore ignores result.json and *.csv but not validated_proxies.txt, so the credential file is not protected from accidental commit.

Why this matters

  • The file is created in the CWD (not a per-user temp dir), with no 0600 restriction, so on shared/multi-user hosts other users may read the operator's proxy credentials.
  • The name is fixed and the file is never deleted, so it lingers after the run and can be picked up by backups, sync tools, or git add ..
  • Proxy credentials often gate paid/residential proxy pools — leaking them has direct financial and operational-security impact.

Attack or failure scenario

  1. Operator runs --proxy-file proxies.txt --validate-proxies where proxies.txt contains credentialed entries.
  2. validated_proxies.txt is written to the CWD (e.g. a cloned repo working tree) world-readable and left there.
  3. Another local user reads it, or the operator later runs git add . && git commit and pushes the credentials.

Root cause

A temporary artifact containing secrets is written to a predictable, non-temp, non-restricted location and treated as disposable scratch state without lifecycle management.

Recommended fix

  • Avoid the on-disk round-trip entirely: pass the validated in-memory proxy list to set_proxy_manager (or a variant that accepts a list) instead of writing a file.
  • If a file is required, use tempfile.NamedTemporaryFile (or the user state/cache dir), set mode 0o600, and delete it on exit.
  • Never log or persist the credential portion of proxy URLs; redact user:pass@ in any output.
  • Add validated_proxies.txt to .gitignore as a defense-in-depth measure regardless.

Acceptance criteria

  • Running --validate-proxies with credentialed proxies does not leave a world-readable plaintext credential file in the CWD.
  • Any temporary proxy file is created with 0o600 and removed before exit.
  • .gitignore covers the proxy artifact.

Suggested labels

bug

Severity

Medium-Low — local/secondary exposure of proxy credentials; impact depends on whether proxies are credentialed and the host is shared, but it is a silent, persistent plaintext secret write.

Priority

P2

Confidence

Confirmed — the write to validated_proxies.txt in CWD with no cleanup and no permission hardening is present in __main__.py, and credentialed schemes are preserved by ProxyManager.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions