Harden autobrowse: restrict trace artifacts to owner-only permissions#139
Merged
Conversation
Autobrowse trace artifacts (trace.json, messages.json, summary.md, and screenshots) can contain cookies, auth headers, bearer tokens, passwords from form POSTs, private URLs, and screenshots of authenticated pages. Previously these were written with fs.writeFileSync / fs.mkdirSync using default permissions, which inherit the process umask (typically 0644 files / 0755 dirs). On a shared host -- CI runners, shared dev boxes, or multi-tenant containers -- that leaves the trace tree readable by other local users and processes. This restricts trace artifacts to the owner: - run dir + screenshots/ created with mode 0700; the run dir is also chmod'd explicitly since mkdirSync's mode only applies to dirs it creates (a pre-existing parent could otherwise stay traversable). - trace.json / messages.json / summary.md written with mode 0600. - lockDownTrace() sweeps the run dir at the end to cover files written by subprocesses (screenshots from the browse CLI, .o11y artifacts) whose creation mode we don't control. Symlinks (the `latest` link) are skipped. 0700/0600 are unaffected by the process umask, so the result is consistent regardless of host configuration. The owner -- the same user the self-improvement loop runs as -- retains full read/write, so the loop is unaffected; only cross-user access is removed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
shrey150
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Autobrowse writes trace artifacts (
trace.json,messages.json,summary.md, andscreenshots/) for each run. These can contain sensitive material captured during an authenticated browsing session: session cookies,Authorization/bearer tokens, passwords from form POSTs, private URLs with embedded tokens, and screenshots of logged-in pages.These files were written with default
fs.writeFileSync/fs.mkdirSyncpermissions, which inherit the process umask — typically0644for files and0755for directories. That makes the whole trace tree readable by other local users and processes.What we're preventing against
On a shared filesystem, anything with a different UID on the same host could read the trace contents:
In those environments, world-readable traces mean another party could lift live session tokens, credentials, and screenshots of authenticated pages belonging to whatever the bot logged into.
Change
Restrict trace artifacts to the owner:
screenshots/created with mode0700; the run dir is alsochmod'd explicitly, sincemkdirSync'smodeonly applies to directories it actually creates (a pre-existing parent could otherwise remain traversable).trace.json/messages.json/summary.mdwritten with mode0600.lockDownTrace()sweeps the run dir at the end to cover files written by subprocesses (screenshots from thebrowseCLI,.o11yartifacts) whose creation mode we don't control. Thelatestsymlink is skipped.0700/0600are not widened by the process umask, so behavior is consistent across hosts.Impact on the loop: none
The owner — the same user the self-improvement loop runs as — keeps full read/write. The inner agent writing traces, the outer loop reading them to update
strategy.md, thelatestsymlink, and multi-iteration runs all work unchanged. Only cross-user access is removed.Verification
Tested the write/read sequence + the lockdown sweep against a reproduced trace tree:
umask 022andumask 000, all artifacts (including the subprocess-written screenshot) end up0700/0600; no group/other-readable paths remain.trace.jsonre-read/rewrite mid-run, traversing + listing the run andscreenshots/dirs, reading every artifact, reading through thelatestsymlink, andgetNextRunNumberadvancingrun-001 → run-002.🤖 Generated with Claude Code
Note
Low Risk
Filesystem permission hardening only; same-user read/write for the autobrowse loop is unchanged, with no auth or runtime logic changes.
Overview
Hardens trace output permissions in
evaluate.mjsso run artifacts (JSON traces, messages, summaries, screenshots) are only readable by the owning user.Run directories and
screenshots/are created with mode 0700, with an explicitchmodon the run dir when a parent already existed with looser perms.trace.json,messages.json, andsummary.mdare written with 0600, including incrementaltrace.jsonupdates mid-run.A new
lockDownTrace()recursively applies 0700/0600 under the run directory after the run finishes, covering files from subprocesses (e.g. browse screenshots,.o11y) whose modes aren't controlled at write time. Symlinks (includinglatest) are skipped.Reviewed by Cursor Bugbot for commit ab767a6. Bugbot is set up for automated code reviews on this repo. Configure here.