Security and secrets

Upref is a configuration file library, not a credential store. Its security features protect file integrity and reduce accidental exposure; they do not provide encryption, authentication, or access control management.

Plain-text storage

All values passed to upref.ConfigStore.save() are serialized as readable YAML. Field(secret=True) changes only presentation in compatible prompt implementations:

  • terminal input asks getpass for non-echoing entry, but the standard library can fall back to echoed input when the terminal cannot disable echo;

  • GUI input uses a password-style text control;

  • an existing secret value is not displayed as the prompt default.

Custom prompters receive the current value in plaintext and must honor the secret hint themselves. Upref replaces parser and validator ValueError details with a generic message for secret fields, but callbacks and custom interfaces remain responsible for not logging raw input.

If that value is later saved, it remains plain text. Do not put passwords, API tokens, private keys, session cookies, recovery codes, or comparable credentials directly in an Upref mapping.

Use the operating-system keyring or a dedicated secrets manager and store a non-secret identifier in Upref instead:

account: florent@example.org
credential_name: my-application/production

File permissions

Newly saved files receive mode 0600 on POSIX, limiting access to the owner according to normal filesystem semantics. Upref does not change the permissions of parent directories. On Windows it relies on the destination directory’s existing NTFS access-control list.

Permissions are defense in depth, not encryption. Administrators, malware running as the user, backups, synchronization tools, and diagnostic bundles may still access the file.

Integrity and concurrency

Atomic replacement prevents readers from observing a half-written YAML document. It does not detect malicious modification, protect against a compromised account, or decide which concurrent writer is correct. See Atomicity and concurrent access for the exact guarantees.

Resource limits and untrusted files

Upref is designed for small, local application configuration files. It does not impose a byte-size, nesting-depth, alias-count, CPU, or memory limit before or during YAML parsing. yaml.safe_load prevents construction of arbitrary Python objects, but it is not a denial-of-service boundary. Alias-heavy or deeply nested attacker-controlled YAML can exhaust resources or exceed Python’s recursion limit, especially because normalization detaches repeated containers.

An application that accepts configuration from an untrusted party should enforce an input-size limit before loading, validate an application-specific depth and shape, and use process isolation when resource exhaustion is in its threat model.

Application practices

Applications using Upref should also:

  • avoid logging or printing complete configurations when sensitive values may be present;

  • use an application-specific directory and a conservative filename;

  • validate business meaning after loading—Upref validates representation, not hostnames, URLs, port ranges, or authorization policy;

  • treat configuration imported from another machine as untrusted input;

  • keep backups and crash reports from collecting secrets accidentally;

  • add cross-process locking when lost updates are unacceptable.