From 8315c68567828d1d12f0c8cd51e001656cb61425 Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Thu, 2 Oct 2025 19:58:24 +0000
Subject: [PATCH] [PM-26318] Limit data.json to current user read/write
 (#16647)

* Limit data.json to current user read/write

* Keep existing permissions for portable
---
 .../services/electron-storage.service.ts      | 24 +++++--------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/apps/desktop/src/platform/services/electron-storage.service.ts b/apps/desktop/src/platform/services/electron-storage.service.ts
index 2d292d6537b..34aa8837475 100644
--- a/apps/desktop/src/platform/services/electron-storage.service.ts
+++ b/apps/desktop/src/platform/services/electron-storage.service.ts
@@ -3,6 +3,7 @@
 import * as fs from "fs";
 
 import { ipcMain } from "electron";
+import ElectronStore from "electron-store";
 import { Subject } from "rxjs";
 
 import {
@@ -11,22 +12,7 @@ import {
 } from "@bitwarden/common/platform/abstractions/storage.service";
 import { NodeUtils } from "@bitwarden/node/node-utils";
 
-// See: https://github.com/sindresorhus/electron-store/blob/main/index.d.ts
-interface ElectronStoreOptions {
-  defaults: unknown;
-  name: string;
-}
-
-type ElectronStoreConstructor = new (options: ElectronStoreOptions) => ElectronStore;
-
-// eslint-disable-next-line
-const Store: ElectronStoreConstructor = require("electron-store");
-
-interface ElectronStore {
-  get: (key: string) => unknown;
-  set: (key: string, obj: unknown) => void;
-  delete: (key: string) => void;
-}
+import { isWindowsPortable } from "../../utils";
 
 interface BaseOptions<T extends string> {
   action: T;
@@ -48,11 +34,13 @@ export class ElectronStorageService implements AbstractStorageService {
     if (!fs.existsSync(dir)) {
       NodeUtils.mkdirpSync(dir, "700");
     }
-    const storeConfig: ElectronStoreOptions = {
+    const fileMode = isWindowsPortable() ? 0o666 : 0o600;
+    const storeConfig: ElectronStore.Options<Record<string, unknown>> = {
       defaults: defaults,
       name: "data",
+      configFileMode: fileMode,
     };
-    this.store = new Store(storeConfig);
+    this.store = new ElectronStore(storeConfig);
     this.updates$ = this.updatesSubject.asObservable();
 
     ipcMain.handle("storageService", (event, options: Options) => {