fix: atomic symlink replacement in cert client #34

Merged

heiko merged 1 commit from fix/23-atomic-symlink-replace into master 2026-05-18 10:07:29 +02:00

Conversation 1 Commits 1 Files changed 2 +46 -2

heiko commented 2026-05-17 23:17:41 +02:00

Owner

Copy link

Fixes #23.

Summary

• Replace os.Remove+os.Symlink with a tmp-symlink+rename pattern in the cert client
• Eliminates the TOCTOU window where a local attacker with write access to certbase could race the Remove/Symlink gap to redirect private-key writes
• Extract replaceSymlink helper for clarity and testability

Test plan

• TestReplaceSymlink_Fresh passes (symlink created when absent)
• TestReplaceSymlink_ExistingSymlink passes (symlink atomically replaced)
• TestExecute_Symlink still passes (existing integration test)
• golangci-lint clean

Fixes #23. ## Summary - Replace os.Remove+os.Symlink with a tmp-symlink+rename pattern in the cert client - Eliminates the TOCTOU window where a local attacker with write access to certbase could race the Remove/Symlink gap to redirect private-key writes - Extract replaceSymlink helper for clarity and testability ## Test plan - [x] TestReplaceSymlink_Fresh passes (symlink created when absent) - [x] TestReplaceSymlink_ExistingSymlink passes (symlink atomically replaced) - [x] TestExecute_Symlink still passes (existing integration test) - [x] golangci-lint clean

heiko added 1 commit 2026-05-17 23:17:41 +02:00

fix: atomic symlink replacement in cert client ... 124eae7947

Use a tmp symlink + rename to avoid the TOCTOU window between
os.Remove and os.Symlink, where a local attacker with write access
to certbase could redirect the next private-key write.

Fixes #23.

ius:ai:claude-sonnet-4-6

heiko commented 2026-05-18 10:07:10 +02:00

Author

Owner

Copy link

Correct fix. rename(2) is atomic on POSIX so readers never see a missing symlink.

Minor (non-blocker): assert.NoFileExists(t, name+".tmp") would replace the manual Lstat+IsNotExist check in both tests.

Correct fix. `rename(2)` is atomic on POSIX so readers never see a missing symlink. Minor (non-blocker): `assert.NoFileExists(t, name+".tmp")` would replace the manual Lstat+IsNotExist check in both tests.

heiko merged commit 8e67aa9e37 into master 2026-05-18 10:07:29 +02:00

heiko referenced this pull request from a commit 2026-05-18 10:07:31 +02:00

fix: atomic symlink replacement in cert client (#34)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

mod-nag

Automated dependency scan finding

  

mod-nag

Automated dependency scan finding

  

mod-nag

Automated dependency scan finding

  

mod-nag/ignore

Ignore this mod-nag finding

  

mod-nag/ignore

Ignore this mod-nag finding

  

mod-nag/ignore

Ignore this mod-nag finding

  

nagonag

Automated dependency scan finding

  

nagonag/ignore

Ignore this nagonag finding

  

question

More information is needed

  

security

Security vulnerability or hardening

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

mod-nag

mod-nag

mod-nag

mod-nag/ignore

mod-nag/ignore

mod-nag/ignore

nagonag

nagonag/ignore

question

security

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

heiko/cert-proxy!34

No description provided.