🛡️ Sentinel: [CRITICAL] Fix Insecure Temporary File Usage

[kidchenko]

🚨 Severity: CRITICAL
💡 Vulnerability: The script tools/os_installers/apt.sh used predictable, hardcoded temporary file paths (/tmp/yq) for downloading the yq binary and downloaded other executable artifacts directly into the working directory. It then moved the /tmp/yq file into system paths (/usr/local/bin/yq) using sudo.
🎯 Impact: A malicious local user could exploit this via a symlink attack or pre-creation to escalate privileges by tricking sudo mv into overwriting arbitrary system files, or execute attacker-controlled binaries.
🔧 Fix: Replaced the hardcoded paths with securely generated directories using mktemp -d to ensure safe, isolated downloads. Also created a .jules/sentinel.md to log this critical security learning as instructed.
✅ Verification: Ran ./build.sh syntax check to ensure there were no syntax errors. Verify visually that mktemp -d is being used and that it cleans up the directories after usage.

---

PR created automatically by Jules for task 14544203756493176859 started by @kidchenko

Summary by CodeRabbit

Bug Fixes

• Enhanced package installer security by replacing predictable temporary file paths with securely generated temporary directories to mitigate privilege escalation risks
• Enabled quiet mode for downloads

Documentation

• Added security documentation detailing temporary file handling vulnerabilities and prevention guidelines

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new documentation entry recording security findings related to predictable temporary file paths in OS installer scripts is added, alongside implementation fixes that replace vulnerable patterns with mktemp -d for secure temporary directory generation in the yq and lsd installers.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New entry documenting a security finding regarding privilege escalation and symlink attack risks in apt.sh installers, with prevention directives.
Installer Script Fixes tools/os_installers/apt.sh	Updated yq and lsd installers to use mktemp -d for secure temporary directories instead of predictable paths; added quiet mode (-q) to wget calls; ensures cleanup of temporary directories.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hops with glee at paths now secure,
No more /tmp whispers luring attacks our way,
With mktemp -d magic, we leap without fear,
Temporary haven, randomly sealed and clear! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main security fix: addressing insecure temporary file usage in apt.sh scripts, which is the primary change in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-insecure-tmp-file-14544203756493176859

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tools/os_installers/apt.sh (1)

206-213: Go installation uses the same vulnerable pattern that was fixed for yq/lsd.

The Go tarball is downloaded to the current working directory (a predictable location) and then extracted with sudo tar. This has a similar TOCTOU risk to the original vulnerability addressed in this PR. An attacker could pre-place or symlink go${GO_VERSION}.linux-amd64.tar.gz before download completes.

Consider applying the same mktemp -d pattern here for consistency.

♻️ Suggested fix

 # Install Go
 echo "Installing Go..."
 if ! command -v go &> /dev/null; then
     GO_VERSION="1.23.4"
-    wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
+    TMP_DIR=$(mktemp -d)
+    wget -q "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
     sudo rm -rf /usr/local/go
-    sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
-    rm "go${GO_VERSION}.linux-amd64.tar.gz"
+    sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
+    rm -rf "$TMP_DIR"
     echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
 fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 206 - 213, The Go install downloads
the tarball into the current directory causing a TOCTOU risk; change the logic
around GO_VERSION, wget and tar to download and extract from a secure temporary
directory (use mktemp -d), e.g., create a tempdir, wget the
"go${GO_VERSION}.linux-amd64.tar.gz" into that tempdir, run sudo rm -rf
/usr/local/go and sudo tar -C /usr/local -xzf
"${tempdir}/go${GO_VERSION}.linux-amd64.tar.gz", then securely rm -rf the
tempdir and keep the existing echo about PATH; update references to GO_VERSION,
wget and the tar invocation accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Change the top-level heading to a single `#` (fix MD041),
insert a blank line immediately after that heading (fix MD022), reflow the long
lines in the body so no line exceeds ~80 characters (fix MD013), and update the
date string from "2024-03-24" to "2026-03-24"; apply these edits in
.jules/sentinel.md so the heading, spacing, wrapped paragraphs, and corrected
date resolve the lint errors.

---

Nitpick comments:
In `@tools/os_installers/apt.sh`:
- Around line 206-213: The Go install downloads the tarball into the current
directory causing a TOCTOU risk; change the logic around GO_VERSION, wget and
tar to download and extract from a secure temporary directory (use mktemp -d),
e.g., create a tempdir, wget the "go${GO_VERSION}.linux-amd64.tar.gz" into that
tempdir, run sudo rm -rf /usr/local/go and sudo tar -C /usr/local -xzf
"${tempdir}/go${GO_VERSION}.linux-amd64.tar.gz", then securely rm -rf the
tempdir and keep the existing echo about PATH; update references to GO_VERSION,
wget and the tar invocation accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e079f1a-565f-4387-a841-31185f0d64c7

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and 355ef26.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdown linting errors to pass CI.

Static analysis flagged multiple issues:

1. MD041: File should start with a top-level heading (#), not ##.
2. MD022: Add a blank line after the heading.
3. MD013: Lines 2-4 exceed 80 characters; wrap them for readability.

Also, the date shows "2024-03-24" which appears to be a typo (current year is 2026).

📝 Suggested fix

-## 2024-03-24 - Insecure Temporary File Usage
-**Vulnerability:** The script `tools/os_installers/apt.sh` used a predictable temporary file path (`/tmp/yq`) for downloading the `yq` binary and then immediately used `sudo mv /tmp/yq ...` to install it. This poses a risk for local privilege escalation or symlink attacks. Additionally, downloading executable artifacts directly to the current working directory as seen with `lsd` risks overwriting existing files or executing attacker-controlled binaries.
-**Learning:** Hardcoding predictable temporary file paths in shell scripts, especially those executing with elevated privileges (`sudo`), is a major security flaw. Always use securely generated random directories like `mktemp -d` to prevent local privilege escalation and symlink attacks.
-**Prevention:** Always use `mktemp -d` to create isolated, random, and secure temporary directories when downloading or extracting artifacts before acting upon them, particularly when using `sudo` to move them to system directories.
+# Security Findings
+
+## 2026-03-24 - Insecure Temporary File Usage
+
+**Vulnerability:** The script `tools/os_installers/apt.sh` used a predictable
+temporary file path (`/tmp/yq`) for downloading the `yq` binary and then
+immediately used `sudo mv /tmp/yq ...` to install it. This poses a risk for
+local privilege escalation or symlink attacks. Additionally, downloading
+executable artifacts directly to the current working directory as seen with
+`lsd` risks overwriting existing files or executing attacker-controlled
+binaries.
+
+**Learning:** Hardcoding predictable temporary file paths in shell scripts,
+especially those executing with elevated privileges (`sudo`), is a major
+security flaw. Always use securely generated random directories like
+`mktemp -d` to prevent local privilege escalation and symlink attacks.
+
+**Prevention:** Always use `mktemp -d` to create isolated, random, and secure
+temporary directories when downloading or extracting artifacts before acting
+upon them, particularly when using `sudo` to move them to system directories.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 232] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 288] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 457] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-03-24 - Insecure Tempo..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-03-24 - Insecure Temporary File Usage"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Change the top-level heading to a
single `#` (fix MD041), insert a blank line immediately after that heading (fix
MD022), reflow the long lines in the body so no line exceeds ~80 characters (fix
MD013), and update the date string from "2024-03-24" to "2026-03-24"; apply
these edits in .jules/sentinel.md so the heading, spacing, wrapped paragraphs,
and corrected date resolve the lint errors.