Summary
The --validate-proxies flow writes the working-proxy list to a fixed file named validated_proxies.txt in the current working directory, with default permissions, and never removes it. Proxy entries commonly embed credentials (scheme://user:pass@host:port), so this silently persists proxy credentials in plaintext to whatever directory the operator happened to run the tool from, and is easy to commit accidentally.
Evidence
user_scanner/__main__.py:208-214
temp_proxy_file = "validated_proxies.txt"
with open(temp_proxy_file, "w", encoding="utf-8") as f:
for proxy in working_proxies:
f.write(proxy + "\n")
set_proxy_manager(temp_proxy_file)
user_scanner/core/helpers.py:158-169 — ProxyManager._load_proxies preserves explicit schemes, i.e. credentialed proxy URLs (http://user:pass@host) are loaded and therefore written back out verbatim.
.gitignore ignores result.json and *.csv but not validated_proxies.txt, so the credential file is not protected from accidental commit.
Why this matters
- The file is created in the CWD (not a per-user temp dir), with no
0600 restriction, so on shared/multi-user hosts other users may read the operator's proxy credentials.
- The name is fixed and the file is never deleted, so it lingers after the run and can be picked up by backups, sync tools, or
git add ..
- Proxy credentials often gate paid/residential proxy pools — leaking them has direct financial and operational-security impact.
Attack or failure scenario
- Operator runs
--proxy-file proxies.txt --validate-proxies where proxies.txt contains credentialed entries.
validated_proxies.txt is written to the CWD (e.g. a cloned repo working tree) world-readable and left there.
- Another local user reads it, or the operator later runs
git add . && git commit and pushes the credentials.
Root cause
A temporary artifact containing secrets is written to a predictable, non-temp, non-restricted location and treated as disposable scratch state without lifecycle management.
Recommended fix
- Avoid the on-disk round-trip entirely: pass the validated in-memory proxy list to
set_proxy_manager (or a variant that accepts a list) instead of writing a file.
- If a file is required, use
tempfile.NamedTemporaryFile (or the user state/cache dir), set mode 0o600, and delete it on exit.
- Never log or persist the credential portion of proxy URLs; redact
user:pass@ in any output.
- Add
validated_proxies.txt to .gitignore as a defense-in-depth measure regardless.
Acceptance criteria
- Running
--validate-proxies with credentialed proxies does not leave a world-readable plaintext credential file in the CWD.
- Any temporary proxy file is created with
0o600 and removed before exit.
.gitignore covers the proxy artifact.
Suggested labels
bug
Severity
Medium-Low — local/secondary exposure of proxy credentials; impact depends on whether proxies are credentialed and the host is shared, but it is a silent, persistent plaintext secret write.
Priority
P2
Confidence
Confirmed — the write to validated_proxies.txt in CWD with no cleanup and no permission hardening is present in __main__.py, and credentialed schemes are preserved by ProxyManager.
Summary
The
--validate-proxiesflow writes the working-proxy list to a fixed file namedvalidated_proxies.txtin the current working directory, with default permissions, and never removes it. Proxy entries commonly embed credentials (scheme://user:pass@host:port), so this silently persists proxy credentials in plaintext to whatever directory the operator happened to run the tool from, and is easy to commit accidentally.Evidence
user_scanner/__main__.py:208-214user_scanner/core/helpers.py:158-169—ProxyManager._load_proxiespreserves explicit schemes, i.e. credentialed proxy URLs (http://user:pass@host) are loaded and therefore written back out verbatim..gitignoreignoresresult.jsonand*.csvbut notvalidated_proxies.txt, so the credential file is not protected from accidental commit.Why this matters
0600restriction, so on shared/multi-user hosts other users may read the operator's proxy credentials.git add ..Attack or failure scenario
--proxy-file proxies.txt --validate-proxieswhereproxies.txtcontains credentialed entries.validated_proxies.txtis written to the CWD (e.g. a cloned repo working tree) world-readable and left there.git add . && git commitand pushes the credentials.Root cause
A temporary artifact containing secrets is written to a predictable, non-temp, non-restricted location and treated as disposable scratch state without lifecycle management.
Recommended fix
set_proxy_manager(or a variant that accepts a list) instead of writing a file.tempfile.NamedTemporaryFile(or the user state/cache dir), set mode0o600, and delete it on exit.user:pass@in any output.validated_proxies.txtto.gitignoreas a defense-in-depth measure regardless.Acceptance criteria
--validate-proxieswith credentialed proxies does not leave a world-readable plaintext credential file in the CWD.0o600and removed before exit..gitignorecovers the proxy artifact.Suggested labels
bug
Severity
Medium-Low — local/secondary exposure of proxy credentials; impact depends on whether proxies are credentialed and the host is shared, but it is a silent, persistent plaintext secret write.
Priority
P2
Confidence
Confirmed — the write to
validated_proxies.txtin CWD with no cleanup and no permission hardening is present in__main__.py, and credentialed schemes are preserved byProxyManager.