🛡️ Sentinel: [HIGH] Fix insecure temporary file downloads in apt.sh

[kidchenko]

🚨 Severity: HIGH
💡 Vulnerability: The apt.sh script downloaded executables (like yq and go) directly to predictably named, globally writable paths (e.g., /tmp/yq), and generated temporary scripts (composer-setup.php) in the local working directory.
🎯 Impact: This exposed the system to symlink attacks, race conditions, or malicious file overwriting if an attacker gained local access. It could also pollute the user's current working directory.
🔧 Fix: Added a secure temporary directory using mktemp -d combined with a cleanup trap (trap 'rm -rf "$TMP_DIR"' EXIT). Updated all insecure downloads to target this new directory instead.
✅ Verification: Run ./build.sh (specifically syntax and linting checks) to verify no regressions were introduced. Examine tools/os_installers/apt.sh to ensure TMP_DIR logic is applied to go, yq, lsd, and composer installations.

---

PR created automatically by Jules for task 14587082210010462086 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Secured the installation process by implementing secure temporary directory creation and automatic cleanup of artifacts on exit
  • Improved file handling safety across multiple installers by preventing vulnerabilities related to predictable file paths and unauthorized overwrites

• Documentation

  • Added security advisory documentation detailing installation improvements and risk mitigation measures

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

Security vulnerability in apt.sh is addressed by implementing secure temporary directory handling. A new documentation entry describes the issue, while the installation script is updated to use mktemp -d for temporary files and automatic cleanup via trap, redirecting downloads from predictable paths to the secure temporary directory.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	Added security note documenting critical findings: insecure download locations and temporary file handling risks in apt.sh, with recommendations for mitigation using secure temp directories and cleanup traps.
Secure Temp Directory Implementation tools/os_installers/apt.sh	Modified installation script to create a temporary directory via mktemp -d with automatic cleanup trap. Redirected downloads for Go, yq, lsd, and Composer from fixed paths to the secure temporary directory, and consolidated cleanup logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A tale of tmp files gone wrong,
Where symlinks lurk and paths don't belong,
But now with mktemp shining bright,
And traps that clean up in the night—
Your installs are safe, your data secure,
A hoppy fix that will endure! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main security fix in the changeset: securing temporary file downloads in apt.sh using mktemp and cleanup traps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/apt-sh-secure-tmp-downloads-14587082210010462086

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Update the markdown to satisfy markdownlint: change the first
line heading from "## 2025-03-25 - [CRITICAL] Insecure File Downloads in apt.sh"
to a top-level heading (prepend a single "#"), insert a blank line after that
heading, and wrap or reflow the long descriptive lines (the vulnerability,
learning, and prevention lines) so each line is <= 80 characters; ensure the
content under those headings remains semantically identical while splitting
sentences or using additional short lines as needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e5c5ec7b-65de-4713-9307-0a372a880515

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and 87f2916.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdown linting errors flagged by the pipeline.

The static analysis tool reports several markdownlint failures:

• MD041: First line should be a top-level heading (# instead of ##)
• MD022: Heading should be followed by a blank line
• MD013: Lines 2-4 exceed 80 character limit

📝 Proposed fix for linting issues

-## 2025-03-25 - [CRITICAL] Insecure File Downloads in apt.sh
-**Vulnerability:** The `apt.sh` script downloaded executables (like `yq`) directly to predictably named, globally writable paths (e.g., `/tmp/yq`), and generated temporary scripts (`composer-setup.php`) in the local working directory.
-**Learning:** This exposes the system to symlink attacks or malicious file overwriting if an attacker gains local access, or pollution of the user's current working directory.
-**Prevention:** Always use dynamically generated, securely permissioned temporary directories (e.g., using `mktemp -d`) and properly configure cleanup actions using `trap` statements when handling temporary file downloads in automation scripts.
+# Sentinel Security Notes
+
+## 2025-03-25 - [CRITICAL] Insecure File Downloads in apt.sh
+
+**Vulnerability:** The `apt.sh` script downloaded executables (like `yq`)
+directly to predictably named, globally writable paths (e.g., `/tmp/yq`),
+and generated temporary scripts (`composer-setup.php`) in the local
+working directory.
+
+**Learning:** This exposes the system to symlink attacks or malicious file
+overwriting if an attacker gains local access, or pollution of the user's
+current working directory.
+
+**Prevention:** Always use dynamically generated, securely permissioned
+temporary directories (e.g., using `mktemp -d`) and properly configure
+cleanup actions using `trap` statements when handling temporary file
+downloads in automation scripts.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 244] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 175] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 234] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-03-25 - [CRITICAL] Ins..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-03-25 - [CRITICAL] Insecure File Downloads in apt.sh"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Update the markdown to satisfy
markdownlint: change the first line heading from "## 2025-03-25 - [CRITICAL]
Insecure File Downloads in apt.sh" to a top-level heading (prepend a single
"#"), insert a blank line after that heading, and wrap or reflow the long
descriptive lines (the vulnerability, learning, and prevention lines) so each
line is <= 80 characters; ensure the content under those headings remains
semantically identical while splitting sentences or using additional short lines
as needed.