Add SSH Key Permissions Check

[MikeeBuilds]

Extend the existing permissions scanner to check SSH private key files (~/.ssh/id_, ~/.ssh/.pem) for proper 600 permissions. SSH keys with overly permissive permissions are a security risk and ssh clients often refuse to use them.

[gemini-code-assist]

Summary of Changes

Hello @MikeeBuilds, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the existing permissions scanner by adding a critical check for SSH private key file permissions. The new check, CHK-PRM-013, identifies SSH keys with overly permissive settings, which are a significant security vulnerability and can cause SSH clients to refuse their use. The changes include the core scanning logic, comprehensive documentation, and dedicated integration tests to ensure reliability.

Highlights

• New Security Check (CHK-PRM-013): Introduces a new security check to validate SSH private key file permissions, ensuring they are set to a secure 600.
• Comprehensive Key Scanning: The scanner now targets common SSH private key patterns (e.g., ~/.ssh/id_, ~/.ssh/.pem) to identify and report insecure permissions.
• Automated Remediation: Provides an auto-fix command (chmod 600) for identified SSH private keys with overly permissive settings.
• Integration Testing: Adds a new integration test (test_prm_013) to verify the correct functionality of the SSH key permission check and its auto-fix.

Changelog

• references/check-catalog.md
  • Documented the new security check CHK-PRM-013 for SSH private key permissions.
  • Outlined its critical severity, description of the risk, and a chmod 600 remediation with an auto-fix command.
• scripts/helpers/test_integration.sh
  • Added test_prm_013, a new integration test that simulates insecure SSH key permissions for id_test_rsa and test.pem files.
  • Verified that the auto-fix correctly sets their permissions to 600.
  • Included this new test in the overall test suite.
• scripts/scan_permissions.sh
  • Implemented check_ssh_keys, a new function that scans the ~/.ssh directory for id_* and *.pem files.
  • Checks their permissions and reports critical findings if they are not 600.
  • Integrated this function into the main main() execution flow of the script.

Activity

• The pull request was initiated by MikeeBuilds with the clear objective of extending the permissions scanner to include SSH private key files, ensuring they have proper 600 permissions to mitigate security risks and client refusal issues.
• No other specific activity (comments, reviews, etc.) is provided in the context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces an important security check for SSH private key permissions. While the implementation in scan_permissions.sh and the documentation in check-catalog.md are well-done, a critical security issue was identified: the suggested auto-fix command is vulnerable to command injection due to improper escaping of filenames that might contain single quotes. It is recommended to use printf %q for safe handling of special characters. Additionally, consider improving code quality in scripts/helpers/test_integration.sh by reducing duplication.

[gemini-code-assist]

The auto_fix command and the remediation message are constructed by wrapping the filename $f in single quotes without escaping any single quotes that might be present in the filename itself. If a filename contains a single quote (e.g., id_rsa';touch /tmp/pwned;'), it can break out of the single-quoted string and execute arbitrary commands when the suggested auto_fix is run by a user. This is a command injection vulnerability. While the risk is mitigated by the fact that ~/.ssh is typically only writable by the user, this insecure pattern should be avoided, especially as it is used throughout the script for other directories that might be more accessible.

Suggested change

	"Run: chmod 600 '$f'" \
	"chmod 600 '$f'"
	"Run: $(printf 'chmod 600 %q' "$f")" \
	"$(printf 'chmod 600 %q' "$f")"

[gemini-code-assist]

The new test function test_prm_013 contains repeated logic for handling the two separate test key files. The file creation, permission changes, and verification steps are duplicated. To improve readability and maintainability, this can be refactored to use an array and a loop. This approach makes the test cleaner and easier to extend if you need to add more test cases in the future.

test_prm_013() {
    # Create mock SSH directory
    local ssh_dir="${TEST_DIR}/.ssh"
    mkdir -p "$ssh_dir"

    # Create test SSH private keys
    local test_key="${ssh_dir}/id_test_rsa"
    local test_pem="${ssh_dir}/test.pem"

    cat > "$test_key" <<'EOF'
-----BEGIN RSA PRIVATE KEY-----
fake key content
-----END RSA PRIVATE KEY-----
EOF

    cat > "$test_pem" <<'EOF'
-----BEGIN PRIVATE KEY-----
fake pem content
-----END PRIVATE KEY-----
EOF

    for key_file in "$test_key" "$test_pem"; do
        # Set insecure permissions
        chmod 644 "$key_file"

        # Run the auto-fix command
        chmod 600 "$key_file"

        # Verify permissions were fixed
        local perms
        if [[ "$(uname -s)" == "Darwin" ]]; then
            perms=$(stat -f "%Lp" "$key_file")
        else
            perms=$(stat -c "%a" "$key_file")
        fi

        if [[ "$perms" != "600" ]]; then
            return 1 # Fail test if any key has wrong permissions
        fi
    done
}

[greptile-apps]

Greptile Overview

Greptile Summary

This PR extends the existing permissions scanner to detect SSH private key files under ~/.ssh (id_* and *.pem) that are not mode 600, and adds an auto-fix/remediation message consistent with the existing permissions checks. It also updates the check catalog to document the new check (CHK-PRM-013) and adds integration coverage to ensure the new findings and remediation output are produced as expected.

No new must-fix issues were identified in the latest head SHA beyond the previously discussed auto-fix quoting/safe-exec mismatch thread (already noted in prior review comments).

Confidence Score: 5/5

• This PR is safe to merge with minimal risk.
• Changes are scoped to a new permissions check plus docs/tests, and no new correctness or integration breakages were found in the latest commit beyond an already-discussed pre-existing auto-fix quoting/safe-exec constraint.
• No files require special attention

Important Files Changed

Filename	Overview
references/check-catalog.md	Adds documentation for the new SSH private key permissions check (CHK-PRM-013) and its remediation guidance.
scripts/helpers/test_integration.sh	Extends integration tests to cover the new SSH key permissions check and validates expected findings and remediation output.
scripts/scan_permissions.sh	Adds scanning logic for ~/.ssh/id_* and ~/.ssh/*.pem private keys and enforces 600 permissions; no new verified runtime errors found in this commit.

Sequence Diagram

sequenceDiagram
  participant U as User/Shell
  participant SP as scan_permissions.sh
  participant FS as Filesystem (~/.ssh)
  participant R as Report/Output

  U->>SP: Run permissions scan
  SP->>FS: Enumerate candidate key files (id_*, *.pem)
  FS-->>SP: Return existing file paths
  SP->>FS: Read file modes (stat)
  FS-->>SP: Return mode bits
  alt mode != 600
    SP->>R: Emit finding (CHK-PRM-013) + remediation/auto-fix
  else mode == 600
    SP->>R: No finding for file
  end
  R-->>U: Display results

Loading

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

auto-fix command contains single quotes around $f which will be rejected by safe_exec_command() whitelist (pattern: ^chmod [0-7]{3,4} [a-zA-Z0-9/._-]+$ doesn't allow quotes). This is a pre-existing issue affecting all chmod-based auto-fixes in the codebase. Consider either:

1. removing quotes: "chmod 600 $f" (works for paths without spaces)
2. updating safe_exec whitelist to support quoted paths

Suggested change

	"chmod 600 '$f'"
	"chmod 600 $f"

Prompt To Fix With AI

This is a comment left during a code review.
Path: scripts/scan_permissions.sh
Line: 677:677

Comment:
auto-fix command contains single quotes around `$f` which will be rejected by `safe_exec_command()` whitelist (pattern: `^chmod [0-7]{3,4} [a-zA-Z0-9/._-]+$` doesn't allow quotes). This is a pre-existing issue affecting all chmod-based auto-fixes in the codebase. Consider either:
1. removing quotes: `"chmod 600 $f"` (works for paths without spaces)
2. updating safe_exec whitelist to support quoted paths

```suggestion
        "chmod 600 $f"
```

How can I resolve this? If you propose a fix, please make it concise.

[MikeeBuilds]

All review feedback has been addressed:

• Removed single quotes from auto_fix chmod command — incompatible with safe_exec_command() whitelist pattern
• Refactored test_prm_013() to use a for loop instead of duplicated per-file logic
• Switched to heredocs for test key file creation

@gemini-code-assist @greptile-apps — requesting re-review. Thanks!

[gemini-code-assist]

Code Review

This pull request introduces a new security check for SSH private key permissions, including documentation and an integration test. While the check correctly identifies overly permissive files, a critical command injection vulnerability exists in the auto-fix command generation. This is due to unquoted filenames, which could allow malicious filenames to execute arbitrary commands and also cause the auto-fix to fail for filenames containing spaces.

[gemini-code-assist]

The $f variable in the remediation and auto_fix command strings is not quoted. This creates a critical command injection vulnerability, allowing malicious filenames with shell metacharacters to execute arbitrary commands when the remediation is applied. Furthermore, this omission will cause the auto-fix command to fail for filenames containing spaces. Please ensure $f is properly quoted, consistent with other checks in this file, to prevent both command injection and functional failures.

Suggested change

	"Run: chmod 600 $f" \
	"chmod 600 $f"
	"Run: chmod 600 '$f'" \
	"chmod 600 '$f'"

[MikeeBuilds]

Round 3 review fix applied

Addressed: The $f variable injection vulnerability in scripts/scan_permissions.sh:677.

Approach: Rather than adding single quotes around $f in the auto_fix string (which would break the safe_exec_command() whitelist pattern ^chmod [0-7]{3,4} [a-zA-Z0-9/._-]+$), I added a filename validation guard:

• Before emitting auto_fix, the filename is validated against ^[a-zA-Z0-9/._-]+$ (the same character class used by the safe_exec whitelist)
• Safe filenames (standard SSH key names like id_rsa, id_ed25519, *.pem): auto_fix is emitted as chmod 600 <path>
• Unsafe filenames (containing spaces, quotes, shell metacharacters): the critical finding is still emitted but with an empty auto_fix and a remediation message indicating manual action is needed

This ensures no command injection is possible regardless of filename content, while maintaining compatibility with the existing safe_exec_command() whitelist.

@gemini-code-assist @greptile-apps — requesting re-review.

[gemini-code-assist]

Code Review

This pull request introduces a new security check, CHK-PRM-013, to ensure SSH private keys have the correct 600 permissions. The scanner implementation is robust, including good security practices like validating filenames before generating auto-fix commands. However, a critical command injection vulnerability exists in the remediation message: if a malicious filename (e.g., containing shell metacharacters) is present in the ~/.ssh directory, the generated remediation command, if copy-pasted, could execute arbitrary code. To address this and other areas, suggestions have been provided to safely handle filenames by only offering copy-pasteable commands for validated, safe paths, improve the test's effectiveness, and make the file detection logic more resilient.

[gemini-code-assist]

The remediation message is constructed using double quotes around the filename, which allows for command substitution if the filename contains characters like $(...) or `...`. While there is a regex check to provide a 'clean' command, the fallback message (line 677) is still vulnerable if a user copy-pastes it into their terminal. An attacker who can create a file with a malicious name in the ~/.ssh directory could achieve arbitrary command execution when the user attempts to fix the permissions.

To remediate this, avoid providing a copy-pasteable command for filenames that do not pass the safety check, or use printf %q to safely escape the filename for the shell.

Suggested change

	local auto_fix_cmd="" remediation_msg="Run: chmod 600 \"$f\" (manual)"
	if [[ "$f" =~ ^[a-zA-Z0-9/._-]+$ ]]; then
	auto_fix_cmd="chmod 600 $f"
	remediation_msg="Run: chmod 600 $f"
	fi
	local auto_fix_cmd="" remediation_msg="Manual fix required: chmod 600 [file]"
	if [[ "$f" =~ ^[a-zA-Z0-9/._-]+$ ]]; then
	auto_fix_cmd="chmod 600 $f"
	remediation_msg="Run: chmod 600 $f"
	fi

[gemini-code-assist]

This test verifies that chmod 600 sets permissions correctly, but it doesn't actually test the scanner's detection or auto-fix generation logic. It's more of a unit test for the chmod command than an integration test for the check.

A more effective integration test would:

1. Create a mock key file with incorrect permissions.
2. Execute the scan_permissions.sh script with HOME pointing to a test directory.
3. Capture the JSON output and verify that the correct finding and auto_fix command are generated.

While this test is consistent with the existing style in this file, consider enhancing the test strategy to provide stronger guarantees about the scanner's behavior.

[gemini-code-assist]

The find command uses the case-sensitive -name predicate. This means it won't detect key files with names like id_rsa.PEM or ID_RSA on case-sensitive filesystems (the default on Linux). Using the case-insensitive -iname predicate for both the key files and the public key exclusion would make the check more robust.

Suggested change

	-name 'id_*' -o -name '*.pem' \
	\) -type f ! -name '*.pub' -print0 2>/dev/null)
	-iname 'id_*' -o -iname '*.pem' \
	\) -type f ! -iname '*.pub' -print0 2>/dev/null)

[MikeeBuilds]

All three review comments have been addressed in commit 4915d71:

1. scan_permissions.sh line 677 (security-medium): Fixed. The fallback remediation message now uses a static placeholder "Manual fix required: chmod 600 [file]" instead of double-quoting $f, which could allow command substitution for filenames that fail the safety regex. The safe path (regex-validated filenames) continues to emit the actual filename.

2. test_integration.sh line 354 (medium suggestion): Added a NOTE comment acknowledging the test verifies the chmod auto-fix command only and does not exercise the scanner's find/detect logic, consistent with the existing integration test style.

3. scan_permissions.sh line 694-696 (medium): Changed all three find predicates from -name to -iname for case-insensitive matching: -iname 'id_*', -iname '*.pem', and ! -iname '*.pub'. This catches ID_RSA, id_rsa.PEM, and similar variants.

cc @greptile-apps @gemini-code-assist — ready for re-review.

[gemini-code-assist]

Thank you for the update, @MikeeBuilds! I appreciate you addressing the feedback from the previous review rounds, specifically the points regarding scan_permissions.sh line 677, test_integration.sh line 354, and scan_permissions.sh lines 694-696.

I will proceed with a re-review of the pull request to verify these changes and ensure everything is in order. I will provide my findings in a new review comment shortly.