🛡️ Sentinel: [CRITICAL] Fix predictable temporary file path vulnerability

[kidchenko]

🚨 Severity: CRITICAL
💡 Vulnerability: Predictable Temporary File Path (Symlink Attack). The tools/os_installers/apt.sh script used a hardcoded, predictable temporary file path (/tmp/yq) when downloading the yq binary. Hardcoding paths in shared directories like /tmp makes the system vulnerable to symlink attacks.
🎯 Impact: An attacker could pre-create a symbolic link at /tmp/yq pointing to a sensitive file (e.g., /etc/passwd). When the script runs with elevated privileges (sudo mv ...), it could overwrite or modify the target file, leading to local privilege escalation or a denial of service.
🔧 Fix: Replaced the hardcoded /tmp/yq path with a securely generated random directory using mktemp -d. The download and move logic is wrapped in a subshell (...) and paired with a local trap 'rm -rf "$TMP_DIR"' EXIT to ensure automatic cleanup upon exit without affecting global script traps. Also recorded this finding in .jules/sentinel.md.
✅ Verification:

1. Check tools/os_installers/apt.sh to ensure /tmp/yq is no longer used and is replaced by mktemp -d.
2. Run ./build.sh syntax and ./build.sh lint to verify the script is valid.
3. Review .jules/sentinel.md for the documented learning.

---

PR created automatically by Jules for task 6281568317492694477 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Fixed a symlink-attack vulnerability in the tool installer that could allow unauthorized file manipulation during installation. The installer now uses secure temporary directories with automatic cleanup.

• Documentation

  • Added security documentation describing the vulnerability and the implemented mitigation approach.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds security documentation for a symlink-attack vulnerability in the yq installation script caused by hardcoded /tmp/yq path, and implements the mitigation by using mktemp -d for secure temporary directory creation with proper cleanup via EXIT trap.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New entry documenting symlink-attack risk and mitigation strategy for hardcoded temp file path in apt.sh installer.
Installation Script tools/os_installers/apt.sh	Replaced fixed /tmp/yq path with dynamically created temp directory via mktemp -d, added EXIT trap for cleanup, and adjusted binary download/installation to use the secure temp location.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A symlink scheme once lurked in the dark,
But this fix leaves a secure, tempdir mark!
With mktemp -d and traps in place,
No privilege escalation shall win this race! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly addresses the main change: fixing a predictable temporary file path vulnerability by replacing /tmp/yq with mktemp -d. It directly summarizes the critical security fix in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/symlink-vuln-mktemp-6281568317492694477

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Change the first line to a top-level H1 (prefix with "# ")
and insert a blank line after it, then reflow/wrap the subsequent lines so they
respect the configured line-length rule and markdown heading-level/spacing
rules; specifically update the heading "2024-05-24 - [Predictable Temporary File
Paths (Symlink Attack)]" to H1 with a blank line, and wrap the Vulnerability,
Learning, and Prevention paragraphs so each is under the H1 and fits the
linter's max line length while preserving the original content and the suggested
mktemp/trap guidance.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: efbd5025-f001-494d-b05c-40543f46ba80

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and 4a8f9ac.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdownlint failures in heading level/spacing and long lines.

Line 1 should be an H1 with a blank line below, and Lines 2-4 should be wrapped to satisfy the configured line-length rule.

📝 Proposed lint-compliant rewrite

-## 2024-05-24 - [Predictable Temporary File Paths (Symlink Attack)]
-**Vulnerability:** The script `tools/os_installers/apt.sh` used a hardcoded, predictable temporary file path (`/tmp/yq`) when downloading an executable binary.
-**Learning:** Hardcoding paths in shared directories like `/tmp` makes the system vulnerable to symlink attacks (local privilege escalation or denial of service). An attacker could pre-create a symbolic link at `/tmp/yq` pointing to a sensitive file (e.g., `/etc/passwd`), causing the script running with elevated privileges (e.g., `sudo`) to overwrite or modify the target file.
-**Prevention:** Always use securely generated random directories like `mktemp -d` instead of hardcoded paths in shared directories. When creating secure temporary directories in shell scripts with `mktemp -d`, wrap the logic in a subshell `(...)` and pair it with a local trap (e.g., `trap 'rm -rf "$TMP_DIR"' EXIT`) to ensure automatic cleanup upon exit without affecting or overriding global script traps.
+# 2024-05-24 - [Predictable Temporary File Paths (Symlink Attack)]
+
+**Vulnerability:** The script `tools/os_installers/apt.sh` used a hardcoded,
+predictable temporary file path (`/tmp/yq`) when downloading an executable
+binary.
+
+**Learning:** Hardcoding paths in shared directories like `/tmp` makes the
+system vulnerable to symlink attacks (local privilege escalation or denial of
+service). An attacker could pre-create a symbolic link at `/tmp/yq` pointing to
+a sensitive file (e.g., `/etc/passwd`), causing the script running with elevated
+privileges (e.g., `sudo`) to overwrite or modify the target file.
+
+**Prevention:** Always use securely generated random directories like
+`mktemp -d` instead of hardcoded paths in shared directories. When creating
+secure temporary directories in shell scripts with `mktemp -d`, wrap the logic
+in a subshell `(...)` and pair it with a local trap
+(e.g., `trap 'rm -rf "$TMP_DIR"' EXIT`) to ensure automatic cleanup upon exit
+without affecting or overriding global script traps.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 407] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 379] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 159] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-24 - [Predictable T..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-24 - [Predictable Temporary File Paths (Symlink Attack)]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Change the first line to a top-level
H1 (prefix with "# ") and insert a blank line after it, then reflow/wrap the
subsequent lines so they respect the configured line-length rule and markdown
heading-level/spacing rules; specifically update the heading "2024-05-24 -
[Predictable Temporary File Paths (Symlink Attack)]" to H1 with a blank line,
and wrap the Vulnerability, Learning, and Prevention paragraphs so each is under
the H1 and fits the linter's max line length while preserving the original
content and the suggested mktemp/trap guidance.