security: Fix overly permissive file modes and cache directory boundary

Four issues identified during code review and resolved:

1. World-writable directory creation during archive extraction —
   pkg/archive/extract_targz.go, pkg/archive/extract_zip.go

   Directories unpacked from archives were created with mode 0o777
   (world-writable). Changed to 0o755 to match the principle of least
   privilege applied elsewhere in the codebase.

2. World-writable file creation during zip extraction —
   pkg/archive/extract_zip.go

   Files extracted from .zip archives were created with a hardcoded
   mode of 0o777. The .tar.gz extractor already did the right thing
   by using os.FileMode(th.Mode) to preserve the permission bits from
   the archive header. The .zip extractor now does the same via
   z.Mode(). Hugo release zips built by goreleaser carry Unix
   permission metadata, so the Hugo binary emerges executable (0o755)
   rather than world-writable.

3. World-writable parent directory creation in helpers —
   pkg/helpers/helpers.go

   CopyFile used 0o777 when creating parent directories for the
   destination. Changed to 0o755.

4. Incorrect directory boundary in cache size calculation —
   pkg/cache/cache.go, pkg/cache/cache_test.go

   Size() excluded files whose path had excludeDir as a string prefix,
   meaning a directory named e.g. 'default123' would be silently
   excluded alongside 'default'. Changed to an exact match check:

     path != excludeDir && !strings.HasPrefix(path, excludeDir+"/")

   The accompanying test was asserting the buggy behaviour (with a
   comment claiming it was intentional); it now asserts the correct
   behaviour.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jmooring

pkg/archive/extract_targz.go

@@ -66,7 +66,7 @@ func extractTarGZ(src, dst string) error {
 		switch th.Typeflag {
 		case tar.TypeDir:
 			if _, err := os.Stat(target); err != nil {
-				if err := os.MkdirAll(target, 0o777); err != nil {
+				if err := os.MkdirAll(target, 0o755); err != nil {
 					return err
 				}
 			}

pkg/archive/extract_zip.go

@@ -41,14 +41,14 @@ func extractZip(src, dst string) error {
 		}
 
 		if f.FileInfo().IsDir() {
-			err = os.MkdirAll(target, 0o777)
+			err = os.MkdirAll(target, 0o755)
 			if err != nil {
 				return err
 			}
 			continue
 		}
 
-		err = os.MkdirAll(filepath.Dir(target), 0o777)
+		err = os.MkdirAll(filepath.Dir(target), 0o755)
 		if err != nil {
 			return err
 		}
@@ -70,7 +70,7 @@ func copyFileFromZip(z *zip.File, dst string) (retErr error) {
 	}
 	defer zrc.Close()
 
-	df, err := os.OpenFile(dst, os.O_CREATE|os.O_RDWR, 0o777)
+	df, err := os.OpenFile(dst, os.O_CREATE|os.O_RDWR, z.Mode())
 	if err != nil {
 		return err
 	}

pkg/cache/cache.go

@@ -105,7 +105,7 @@ func Size(cachePath, excludeDir string) (int64, error) {
 		if err != nil {
 			return err
 		}
-		if !d.IsDir() && !strings.HasPrefix(path, excludeDir) && path != SchemaFileName && path != TagListFileName {
+		if !d.IsDir() && path != excludeDir && !strings.HasPrefix(path, excludeDir+"/") && path != SchemaFileName && path != TagListFileName {
 			fi, err := d.Info()
 			if err != nil {
 				return err

pkg/cache/cache_test.go

@@ -48,17 +48,18 @@ func TestSize(t *testing.T) {
 	write(t, filepath.Join(base, "default", "hugo"), 10)
 	write(t, filepath.Join(base, "default", "nested", "file"), 7)
 
-	// Path that starts with exclude prefix should be excluded
+	// Path whose name starts with the exclude prefix but is a different
+	// directory should be included, not excluded.
 	write(t, filepath.Join(base, "default123", "file"), 9)
 
 	size, err := Size(base, "default")
 	if err != nil {
 		t.Fatalf("Size() error: %v", err)
 	}
 
-	// Included: 20 + 5 + 3 = 28
-	// Excluded: 10 + 7 + 9
-	if want := int64(28); size != want {
+	// Included: 20 + 5 + 3 + 9 = 37
+	// Excluded: 10 + 7
+	if want := int64(37); size != want {
 		t.Fatalf("Size(): want %d got %d", want, size)
 	}
 }

pkg/helpers/helpers.go

@@ -64,7 +64,7 @@ func CopyFile(src, dst string) (retErr error) {
 	}
 	defer s.Close()
 
-	err = os.MkdirAll(filepath.Dir(dst), 0o777)
+	err = os.MkdirAll(filepath.Dir(dst), 0o755)
 	if err != nil {
 		return err
 	}