Summary
turso-cli persists the user's Turso platform JWT to settings.json using
Viper's default configPermissions of 0o644, leaving the credential file
world-readable on standard Linux and macOS systems. Any other local UID on
the host can read the file and recover the platform JWT, which grants full
Turso platform access scoped to the user's organizations.
Impact
The token in settings.json grants the holder full Turso platform access —
create or destroy databases, rotate credentials, exfiltrate data, change
billing settings — for any organization the user belongs to.
Because the file is world-readable, the credential is reachable by:
- Cron jobs or daemons running as a different system user on the same host
- Sandboxed CI runners with a mounted home directory
- Containers with a bind-mounted host home
- Co-tenants on a shared multi-user developer or jumpbox host
The file path resolves through configdir.LocalConfig("turso"):
- macOS:
~/Library/Application Support/turso/settings.json
- Linux:
~/.config/turso/settings.json (or $XDG_CONFIG_HOME/turso/settings.json)
It contains the platform JWT in plaintext JSON alongside organization and
username fields.
Comparable CLIs (gh, aws, docker, gcloud, plus close peers
planetscale, neon, upstash) write credential files at 0o600
explicitly, so this is a deviation from the cross-vendor baseline rather
than a deliberate trade-off.
Details
The OAuth callback handler stores the platform JWT via the settings layer:
// internal/cmd/auth.go:205-214
jwt, err := callbackServer.Result()
...
settings.SetToken(jwt)
SetToken writes through Viper:
// internal/settings/settings.go:124-127
func (s *Settings) SetToken(token string) {
viper.Set("token", token)
s.changed = true
}Persistence runs through viper.WriteConfig:
// internal/settings/settings.go:96-101
func TryToPersistChanges() error {
if err := viper.WriteConfig(); err != nil {
return fmt.Errorf("failed to persist turso settings file: %w", err)
}
return nil
}Viper v1.21.0 (pinned in turso-cli go.mod) initializes
configPermissions to os.FileMode(0o644) at viper.go:198 and passes
that mode straight to os.OpenFile at viper.go:1688. Without a call to
viper.SetConfigPermissions(0o600), the resulting settings.json is
created at 0o644.
A grep over the auth-config write path under internal/ returns zero
hits for Chmod, 0o600, or 0600, confirming there is no follow-up
tightening of the file mode anywhere on the persistence path.
Proof of concept
Minimal reproducer using the same Viper version turso-cli pins
(github.com/spf13/viper v1.21.0):
package main
import (
"fmt"
"os"
"path/filepath"
"github.com/spf13/viper"
)
func main() {
dir, _ := os.MkdirTemp("", "viperpoc-*")
defer os.RemoveAll(dir)
viper.SetConfigName("settings")
viper.SetConfigType("json")
viper.AddConfigPath(dir)
viper.Set("token", "FAKE_TURSO_JWT_xxxxxxxxxxxxxxxxxxxx")
viper.Set("organization", "exampleorg")
viper.SafeWriteConfig()
st, _ := os.Stat(filepath.Join(dir, "settings.json"))
fmt.Printf("mode: %o\n", st.Mode()&0o777)
}$ go run main.go
mode: 644
The same SafeWriteConfig / WriteConfig calls turso-cli uses produce
the same 0o644 mode in a real turso auth login flow.
Remediation
One-line fix at the existing Viper configuration site in
internal/settings/settings.go (around lines 48-50):
viper.SetConfigName("settings")
viper.SetConfigType("json")
viper.AddConfigPath(configPath)
viper.SetConfigPermissions(0o600) // restrict settings.json to owner onlyDefense in depth:
- Add
os.Chmod(configFile, 0o600) after TryToPersistChanges, or on read
(as PlanetScale does in internal/config/config.go — they Stat the
token file and self-heal if Mode() &^ 0o600 is nonzero).
viper.SetConfigPermissions applies only on file creation, so an existing
wider-mode file is not tightened otherwise.
- Add
os.Chmod(configPath, 0o700) after configdir.MakePath(configPath)
(line 43) to close the equivalent gap on the enclosing directory, which is
otherwise created under the default umask.
Patch: ffb9148
Workarounds
Until upgraded, users can tighten the existing files manually:
# Linux
chmod 600 ~/.config/turso/settings.json
chmod 700 ~/.config/turso
# macOS
chmod 600 "$HOME/Library/Application Support/turso/settings.json"
chmod 700 "$HOME/Library/Application Support/turso"
This must be repeated after any operation that recreates the file (e.g.
turso auth login) until the patched version is installed.
References
Summary
turso-clipersists the user's Turso platform JWT tosettings.jsonusingViper's default
configPermissionsof0o644, leaving the credential fileworld-readable on standard Linux and macOS systems. Any other local UID on
the host can read the file and recover the platform JWT, which grants full
Turso platform access scoped to the user's organizations.
Impact
The token in
settings.jsongrants the holder full Turso platform access —create or destroy databases, rotate credentials, exfiltrate data, change
billing settings — for any organization the user belongs to.
Because the file is world-readable, the credential is reachable by:
The file path resolves through
configdir.LocalConfig("turso"):~/Library/Application Support/turso/settings.json~/.config/turso/settings.json(or$XDG_CONFIG_HOME/turso/settings.json)It contains the platform JWT in plaintext JSON alongside
organizationandusernamefields.Comparable CLIs (
gh,aws,docker,gcloud, plus close peersplanetscale,neon,upstash) write credential files at0o600explicitly, so this is a deviation from the cross-vendor baseline rather
than a deliberate trade-off.
Details
The OAuth callback handler stores the platform JWT via the settings layer:
SetTokenwrites through Viper:Persistence runs through
viper.WriteConfig:Viper v1.21.0 (pinned in
turso-cligo.mod) initializesconfigPermissionstoos.FileMode(0o644)atviper.go:198and passesthat mode straight to
os.OpenFileatviper.go:1688. Without a call toviper.SetConfigPermissions(0o600), the resultingsettings.jsoniscreated at
0o644.A
grepover the auth-config write path underinternal/returns zerohits for
Chmod,0o600, or0600, confirming there is no follow-uptightening of the file mode anywhere on the persistence path.
Proof of concept
Minimal reproducer using the same Viper version
turso-clipins(
github.com/spf13/viper v1.21.0):$ go run main.go
mode: 644
The same
SafeWriteConfig/WriteConfigcallsturso-cliuses producethe same
0o644mode in a realturso auth loginflow.Remediation
One-line fix at the existing Viper configuration site in
internal/settings/settings.go(around lines 48-50):Defense in depth:
os.Chmod(configFile, 0o600)afterTryToPersistChanges, or on read(as PlanetScale does in
internal/config/config.go— theyStatthetoken file and self-heal if
Mode() &^ 0o600is nonzero).viper.SetConfigPermissionsapplies only on file creation, so an existingwider-mode file is not tightened otherwise.
os.Chmod(configPath, 0o700)afterconfigdir.MakePath(configPath)(line 43) to close the equivalent gap on the enclosing directory, which is
otherwise created under the default umask.
Patch: ffb9148
Workarounds
Until upgraded, users can tighten the existing files manually:
This must be repeated after any operation that recreates the file (e.g.
turso auth login) until the patched version is installed.References
configPermissionsdefault: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L198