GitHub CodeQL reports for overly permissive file permissions

CodeQL has a Python rule with ID `py/overly-permissive-file` which flags several chmod/open calls in the node-gyp Python code. I would like to confirm that these operations are intentionally more permissive and safe to suppress.

**Flagged locations**

| File | Line | Code | CodeQL concern |
|------|------|------|----------------|
| `gyp/pylib/gyp/common.py` | 561 | `os.chmod(tool_path, 0o755)` | World readable |
| `gyp/pylib/gyp/flock_tool.py` | 43 | `os.open(lockfile, ..., 0o666)` | World readable/writable |
| `gyp/pylib/gyp/mac_tool.py` | 250 | `os.open(lockfile, ..., 0o666)` | World readable/writable |

* `0o755` on `common.py:561` is set because you are unsure whether all build processes are run with the same user 
* `0o666` on lock files in `flock_tool.py` and `mac_tool.py` is intentional, with umask expected to restrict actual permissions

Could you confirm these permissions are intentional and by design?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

GitHub CodeQL reports for overly permissive file permissions #3267

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

File	Line	Code	CodeQL concern
`gyp/pylib/gyp/common.py`	561	`os.chmod(tool_path, 0o755)`	World readable
`gyp/pylib/gyp/flock_tool.py`	43	`os.open(lockfile, ..., 0o666)`	World readable/writable
`gyp/pylib/gyp/mac_tool.py`	250	`os.open(lockfile, ..., 0o666)`	World readable/writable

Uh oh!

GitHub CodeQL reports for overly permissive file permissions #3267

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions