From f6c8dfc9514e9f6dd9a5ad9b7f6c6f33029d14bc Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 17 Apr 2026 16:28:20 +0000 Subject: [PATCH] fix(cli): create task-edit scratch file with mode 0600 on unix onyx task edit wrote the task body to /tmp/onyx-.md with the default umask, leaving it world-readable on shared multi-user systems for the duration of the editor session. Open with O_CREAT|O_TRUNC + mode 0600 via OpenOptionsExt on unix; Windows keeps the existing behaviour since unix-style mode bits don't apply. --- crates/onyx-cli/src/commands/task.rs | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/crates/onyx-cli/src/commands/task.rs b/crates/onyx-cli/src/commands/task.rs index 00471de..0bfd58c 100644 --- a/crates/onyx-cli/src/commands/task.rs +++ b/crates/onyx-cli/src/commands/task.rs @@ -119,13 +119,26 @@ pub fn edit(task_id_str: String, workspace: Option) -> Result<()> { let (list_id, task) = find_task(&lists, task_id) .ok_or_else(|| anyhow::anyhow!("Task not found: {}", task_id_str))?; - // Create temporary file with task content + // Create temporary file with task content. On Unix, open with 0600 so + // other local users on a shared system can't read the task body off /tmp + // while the editor is running. let temp_dir = std::env::temp_dir(); let temp_file = temp_dir.join(format!("onyx-{}.md", task.id)); - // Write current task content to temp file let content = format!("# {}\n\n{}", task.title, task.description); - std::fs::write(&temp_file, content)?; + { + use std::io::Write; + let mut opts = std::fs::OpenOptions::new(); + opts.write(true).create(true).truncate(true); + #[cfg(unix)] + { + use std::os::unix::fs::OpenOptionsExt; + opts.mode(0o600); + } + let mut f = opts.open(&temp_file) + .with_context(|| format!("Failed to create {}", temp_file.display()))?; + f.write_all(content.as_bytes())?; + } // Get editor from environment let editor = std::env::var("EDITOR").unwrap_or_else(|_| {