CodeQL has a Python rule with ID py/overly-permissive-file which flags several chmod/open calls in the node-gyp Python code. I would like to confirm that these operations are intentionally more permissive and safe to suppress.
Flagged locations
| File |
Line |
Code |
CodeQL concern |
gyp/pylib/gyp/common.py |
561 |
os.chmod(tool_path, 0o755) |
World readable |
gyp/pylib/gyp/flock_tool.py |
43 |
os.open(lockfile, ..., 0o666) |
World readable/writable |
gyp/pylib/gyp/mac_tool.py |
250 |
os.open(lockfile, ..., 0o666) |
World readable/writable |
0o755 on common.py:561 is set because you are unsure whether all build processes are run with the same user0o666 on lock files in flock_tool.py and mac_tool.py is intentional, with umask expected to restrict actual permissions
Could you confirm these permissions are intentional and by design?
CodeQL has a Python rule with ID
py/overly-permissive-filewhich flags several chmod/open calls in the node-gyp Python code. I would like to confirm that these operations are intentionally more permissive and safe to suppress.Flagged locations
gyp/pylib/gyp/common.pyos.chmod(tool_path, 0o755)gyp/pylib/gyp/flock_tool.pyos.open(lockfile, ..., 0o666)gyp/pylib/gyp/mac_tool.pyos.open(lockfile, ..., 0o666)0o755oncommon.py:561is set because you are unsure whether all build processes are run with the same user0o666on lock files inflock_tool.pyandmac_tool.pyis intentional, with umask expected to restrict actual permissionsCould you confirm these permissions are intentional and by design?