prevent execute permissions from being set

spencerugbo · spencerugbo · commit ec68e52923ac · 2025-09-19T17:45:30.000+01:00
diff --git a/internal/file/file_manager_service.go b/internal/file/file_manager_service.go
@@ -13,6 +13,8 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
+	"strconv"
+	"strings"
 	"sync"
 
 	"google.golang.org/grpc"
@@ -152,6 +154,11 @@ func (fms *FileManagerService) ConfigApply(ctx context.Context,
 		return model.Error, allowedErr
 	}
 
+	permissionErr := fms.validateAndFixPermissions(ctx, fileOverview.GetFiles())
+	if permissionErr != nil {
+		return model.PermissionChange, permissionErr
+	}
+
 	diffFiles, fileContent, compareErr := fms.DetermineFileActions(
 		ctx,
 		fms.currentFilesOnDisk,
@@ -518,6 +525,58 @@ func (fms *FileManagerService) checkAllowedDirectory(checkFiles []*mpi.File) err
 	return nil
 }
 
+func (fms *FileManagerService) validateAndFixPermissions(ctx context.Context, fileList []*mpi.File) error {
+	var permissionIssues []string
+
+	for _, file := range fileList {
+		if err := fms.checkFilePermissions(file); err != nil {
+			permissionIssues = append(permissionIssues, file.GetFileMeta().GetName())
+
+			if resetErr := fms.resetFilePermissions(file); resetErr != nil {
+				return fmt.Errorf("failed to reset permissions for %s: %w", file.GetFileMeta().GetName(), resetErr)
+			}
+
+			slog.InfoContext(ctx, "Reset execute permissions", "file", file.GetFileMeta().GetName())
+		}
+	}
+
+	if len(permissionIssues) > 0 {
+		return fmt.Errorf("reset execute permissions for files: %s", strings.Join(permissionIssues, ", "))
+	}
+
+	return nil
+}
+
+func (fms *FileManagerService) checkFilePermissions(file *mpi.File) error {
+	filePermission := file.GetFileMeta().GetPermissions()
+
+	permissionCodes := filePermission[1:]
+
+	for _, digit := range permissionCodes {
+		singleCode := digit - '0'
+
+		if singleCode&1 != 0 {
+			return fmt.Errorf("file %s has execute permissions", file.GetFileMeta().GetName())
+		}
+	}
+
+	return nil
+}
+
+func (fms *FileManagerService) resetFilePermissions(file *mpi.File) error {
+	perm, err := strconv.ParseUint("0644", 8, 32)
+	if err != nil {
+		return fmt.Errorf("error parsing file permissions: %w", err)
+	}
+
+	err = os.Chmod(file.GetFileMeta().GetName(), os.FileMode(perm))
+	if err != nil {
+		return fmt.Errorf("failed to set file permissions: %w", err)
+	}
+
+	return nil
+}
+
 func (fms *FileManagerService) convertToManifestFileMap(
 	currentFiles map[string]*mpi.File,
 	referenced bool,
diff --git a/internal/file/file_plugin.go b/internal/file/file_plugin.go
@@ -347,6 +347,26 @@ func (fp *FilePlugin) handleConfigApplyRequest(ctx context.Context, msg *bus.Mes
 		}
 
 		fp.messagePipe.Process(ctx, &bus.Message{Topic: bus.WriteConfigSuccessfulTopic, Data: data})
+	case model.PermissionChange:
+		slog.WarnContext(ctx, "Files with execute permissions found and reset",
+			"details", err.Error())
+		dpResponse := fp.createDataPlaneResponse(
+			correlationID,
+			mpi.CommandResponse_COMMAND_STATUS_OK,
+			"Config apply successful, files updated with permission changes",
+			instanceID,
+			"",
+		)
+
+		successMessage := &model.ConfigApplySuccess{
+			ConfigContext:     &model.NginxConfigContext{},
+			DataPlaneResponse: dpResponse,
+		}
+
+		fp.fileManagerService.ClearCache()
+		fp.messagePipe.Process(ctx, &bus.Message{Topic: bus.ConfigApplySuccessfulTopic, Data: successMessage})
+
+		return
 	}
 }
 
diff --git a/internal/model/config.go b/internal/model/config.go
@@ -75,6 +75,7 @@ const (
 	NoChange
 	Error
 	OK
+	PermissionChange = 5
 )
 
 type ConfigApplySuccess struct {

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,7 @@ const (`
`75`	`75`	`NoChange`
`76`	`76`	`Error`
`77`	`77`	`OK`
	`78`	`+ PermissionChange = 5`
`78`	`79`	`)`
`79`	`80`
`80`	`81`	`type ConfigApplySuccess struct {`