From 09499a732f0b50c9d09d0964ab0663f5ffed474d Mon Sep 17 00:00:00 2001
From: Preston Van Loon <pvanloon@offchainlabs.com>
Date: Mon, 24 Feb 2025 09:13:53 -0600
Subject: [PATCH] gosec: Fix violations of G301 (#14980)

* gosec: Fix violations of G301

* Changelog fragment
---
 changelog/pvl_g301.md                                         | 3 +++
 cmd/prysmctl/testnet/generate_genesis.go                      | 2 +-
 testing/endtoend/helpers/helpers.go                           | 2 +-
 tools/analyzers/properpermissions/testdata/regular_imports.go | 4 ++--
 tools/specs-checker/download.go                               | 2 +-
 5 files changed, 8 insertions(+), 5 deletions(-)
 create mode 100644 changelog/pvl_g301.md

diff --git a/changelog/pvl_g301.md b/changelog/pvl_g301.md
new file mode 100644
index 000000000000..9b43c0a14a9a
--- /dev/null
+++ b/changelog/pvl_g301.md
@@ -0,0 +1,3 @@
+### Fixed
+
+- Fixed violations of gosec G301. This is a check that created files and directories have file permissions 0750 and 0600 respectively.
diff --git a/cmd/prysmctl/testnet/generate_genesis.go b/cmd/prysmctl/testnet/generate_genesis.go
index 814deac8fa5d..b99148b3812c 100644
--- a/cmd/prysmctl/testnet/generate_genesis.go
+++ b/cmd/prysmctl/testnet/generate_genesis.go
@@ -288,7 +288,7 @@ func generateGenesis(ctx context.Context) (state.BeaconState, error) {
 		if err != nil {
 			return nil, err
 		}
-		if err := os.WriteFile(f.GethGenesisJsonOut, gbytes, os.ModePerm); err != nil {
+		if err := os.WriteFile(f.GethGenesisJsonOut, gbytes, 0600); err != nil {
 			return nil, errors.Wrapf(err, "failed to write %s", f.GethGenesisJsonOut)
 		}
 	}
diff --git a/testing/endtoend/helpers/helpers.go b/testing/endtoend/helpers/helpers.go
index ed982b6ed4c5..849cb18aa9be 100644
--- a/testing/endtoend/helpers/helpers.go
+++ b/testing/endtoend/helpers/helpers.go
@@ -196,7 +196,7 @@ random:
   - "Takoyaki"
 `)
 	f := filepath.Join(testDir, "graffiti.yaml")
-	if err := os.WriteFile(f, b, os.ModePerm); err != nil {
+	if err := os.WriteFile(f, b, 0600); err != nil {
 		return "", err
 	}
 	return f, nil
diff --git a/tools/analyzers/properpermissions/testdata/regular_imports.go b/tools/analyzers/properpermissions/testdata/regular_imports.go
index 43a3592d798f..374c1b26b160 100644
--- a/tools/analyzers/properpermissions/testdata/regular_imports.go
+++ b/tools/analyzers/properpermissions/testdata/regular_imports.go
@@ -20,7 +20,7 @@ func tempDir() string {
 func UseOsMkdirAllAndWriteFile() {
 	randPath, _ := rand.Int(rand.Reader, big.NewInt(1000000))
 	p := filepath.Join(tempDir(), fmt.Sprintf("/%d", randPath))
-	_ = os.MkdirAll(p, os.ModePerm) // want "os and ioutil dir and file writing functions are not permissions-safe, use shared/file"
+	_ = os.MkdirAll(p, 0750) // want "os and ioutil dir and file writing functions are not permissions-safe, use shared/file"
 	someFile := filepath.Join(p, "some.txt")
-	_ = os.WriteFile(someFile, []byte("hello"), os.ModePerm) // want "os and ioutil dir and file writing functions are not permissions-safe, use shared/file"
+	_ = os.WriteFile(someFile, []byte("hello"), 0600) // want "os and ioutil dir and file writing functions are not permissions-safe, use shared/file"
 }
diff --git a/tools/specs-checker/download.go b/tools/specs-checker/download.go
index d2cd67b9fd83..f605f27ff17b 100644
--- a/tools/specs-checker/download.go
+++ b/tools/specs-checker/download.go
@@ -78,5 +78,5 @@ func getAndSaveFile(specDocUrl, outFilePath string) error {
 }
 
 func prepareDir(dirPath string) error {
-	return os.MkdirAll(dirPath, os.ModePerm)
+	return os.MkdirAll(dirPath, 0750)
 }