[PR #192] [CLOSED] fix: improve security by enabling SSL verification and restricting cookie file permissions #213

New issue

Closed

opened 2026-02-13 17:28:06 -06:00 by mirrors · 0 comments

mirrors commented 2026-02-13 17:28:06 -06:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/HanaokaYuzu/Gemini-API/pull/192
Author: @ww2283
Created: 12/11/2025
Status: ❌ Closed

Base: master ← Head: fix/security-improvements

---

📝 Commits (1)

• ff01766 fix: improve security by enabling SSL verification and restricting cookie file permissions

📊 Changes

2 files changed (+2 additions, -2 deletions)

View changed files

📝 src/gemini_webapi/utils/get_access_token.py (+1 -2)
📝 src/gemini_webapi/utils/rotate_1psidts.py (+1 -0)

📄 Description

• Remove verify=False from AsyncClient calls to enable SSL certificate verification
• Add chmod 0o600 to cookie file to restrict access to owner only

Security: SSL verification disabled and plaintext cookie storage

Summary

During a security audit, I found two issues that could expose users to credential theft:

1. SSL/TLS verification disabled - verify=False in HTTP clients enables MITM attacks
2. Cookie cache files world-readable - No file permissions set on cached credentials

Issue 1: SSL Verification Disabled (Critical)

Location: src/gemini_webapi/utils/get_access_token.py

Current code:

# Line 22-27
async with AsyncClient(
    proxy=proxy,
    headers=Headers.GEMINI.value,
    cookies=cookies,
    follow_redirects=True,
    verify=False,  # <-- SSL verification disabled
) as client:

# Line 68
async with AsyncClient(proxy=proxy, follow_redirects=True, verify=False) as client:

Impact:

• Man-in-the-middle attackers can intercept traffic
• Authentication cookies (__Secure-1PSID, __Secure-1PSIDTS) can be stolen
• Particularly dangerous on public WiFi or untrusted networks

Fix:
Remove verify=False (httpx defaults to verify=True):

async with AsyncClient(
    proxy=proxy,
    headers=Headers.GEMINI.value,
    cookies=cookies,
    follow_redirects=True,
) as client:

Issue 2: Cookie Cache Permissions (Medium)

Location: src/gemini_webapi/utils/rotate_1psidts.py

Current code:

# Line 57-58
if new_1psidts := response.cookies.get("__Secure-1PSIDTS"):
    path.write_text(new_1psidts)  # <-- Default permissions (typically 0644)

Impact:

• Cache files created with world-readable permissions
• Any user/process on the system can read the authentication token
• Risk on shared or multi-user systems

Fix:
Set restrictive permissions after writing:

if new_1psidts := response.cookies.get("__Secure-1PSIDTS"):
    path.write_text(new_1psidts)
    path.chmod(0o600)  # Owner read/write only

Environment

• gemini-webapi version: 1.17.3
• Python: 3.12
• OS: macOS (but issues affect all platforms)

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/HanaokaYuzu/Gemini-API/pull/192 **Author:** [@ww2283](https://github.com/ww2283) **Created:** 12/11/2025 **Status:** ❌ Closed **Base:** `master` ← **Head:** `fix/security-improvements` --- ### 📝 Commits (1) - [`ff01766`](https://github.com/HanaokaYuzu/Gemini-API/commit/ff0176683a290ed08e39383c4eeae87f7b93ef9b) fix: improve security by enabling SSL verification and restricting cookie file permissions ### 📊 Changes **2 files changed** (+2 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/gemini_webapi/utils/get_access_token.py` (+1 -2) 📝 `src/gemini_webapi/utils/rotate_1psidts.py` (+1 -0) </details> ### 📄 Description - Remove verify=False from AsyncClient calls to enable SSL certificate verification - Add chmod 0o600 to cookie file to restrict access to owner only # Security: SSL verification disabled and plaintext cookie storage ## Summary During a security audit, I found two issues that could expose users to credential theft: 1. **SSL/TLS verification disabled** - `verify=False` in HTTP clients enables MITM attacks 2. **Cookie cache files world-readable** - No file permissions set on cached credentials ## Issue 1: SSL Verification Disabled (Critical) **Location:** `src/gemini_webapi/utils/get_access_token.py` **Current code:** ```python # Line 22-27 async with AsyncClient( proxy=proxy, headers=Headers.GEMINI.value, cookies=cookies, follow_redirects=True, verify=False, # <-- SSL verification disabled ) as client: # Line 68 async with AsyncClient(proxy=proxy, follow_redirects=True, verify=False) as client: ``` **Impact:** - Man-in-the-middle attackers can intercept traffic - Authentication cookies (`__Secure-1PSID`, `__Secure-1PSIDTS`) can be stolen - Particularly dangerous on public WiFi or untrusted networks **Fix:** Remove `verify=False` (httpx defaults to `verify=True`): ```python async with AsyncClient( proxy=proxy, headers=Headers.GEMINI.value, cookies=cookies, follow_redirects=True, ) as client: ``` ## Issue 2: Cookie Cache Permissions (Medium) **Location:** `src/gemini_webapi/utils/rotate_1psidts.py` **Current code:** ```python # Line 57-58 if new_1psidts := response.cookies.get("__Secure-1PSIDTS"): path.write_text(new_1psidts) # <-- Default permissions (typically 0644) ``` **Impact:** - Cache files created with world-readable permissions - Any user/process on the system can read the authentication token - Risk on shared or multi-user systems **Fix:** Set restrictive permissions after writing: ```python if new_1psidts := response.cookies.get("__Secure-1PSIDTS"): path.write_text(new_1psidts) path.chmod(0o600) # Owner read/write only ``` ## Environment - gemini-webapi version: 1.17.3 - Python: 3.12 - OS: macOS (but issues affect all platforms) --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

mirrors 2026-02-13 17:28:06 -06:00

• closed this issue
• added the
  pull-request
  label

mirrors referenced this issue 2026-02-13 17:28:07 -06:00

[PR #213] [CLOSED] Google RPC fix and enhancement #216

mirrors referenced this issue 2026-02-13 17:28:08 -06:00

[PR #220] [MERGED] Add streaming responses, enhance parsing efficiency, and implement a better retry solution. #221

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v2.0.0

v1.21.0

v1.20.0

v1.19.2

v1.19.1

v1.19.0

v1.18.1

v1.18.0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.0

v1.12.3

v1.12.2

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.2

v1.10.1

v1.10.0

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.0

v0.0.1

Labels

Clear labels   

advanced

  

advanced

  

bug

  

dependencies

  

discussion

  

documentation

  

duplicate

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

model

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

unreproducible

  

wontfix

No labels

advanced

advanced

bug

dependencies

discussion

documentation

duplicate

enhancement

good first issue

help wanted

invalid

model

pull-request

question

unreproducible

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

mirrors/Gemini-API#213

No description provided.