🛡️ Sentinel: [CRITICAL] Fix insecure temporary file handling in apt.sh

[kidchenko]

🚨 Severity: CRITICAL
💡 Vulnerability: Insecure temporary file handling via predictable paths (e.g. /tmp/yq) and writing files to the current working directory without guaranteed cleanup in tools/os_installers/apt.sh.
🎯 Impact: Vulnerable to local symlink attacks where an attacker could pre-create /tmp/yq as a symlink pointing to an arbitrary file, potentially causing it to be overwritten or modified when the script is run with sudo. Also pollutes the working directory or leaves residual artifacts if the script fails.
🔧 Fix: Replaced hardcoded paths and direct downloads with securely generated temporary directories (mktemp -d). The logic for Go, yq, and lsd installations was wrapped in isolated subshells with an EXIT trap to ensure automatic cleanup of temporary files regardless of script success/failure.
✅ Verification: Verified by checking that tools/os_installers/apt.sh passes the build.sh syntax and validation suite, and no regressions are introduced.

---

PR created automatically by Jules for task 5700316690679871122 started by @kidchenko

Summary by CodeRabbit

• Refactor
  • Enhanced the installer script with improved temporary file handling and automatic cleanup, making installations of Go, yq, and lsd more robust and keeping the system cleaner.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

The installation script for Go, yq, and lsd packages now uses temporary directories created via mktemp -d with cleanup traps instead of fixed-path downloads. Each installation block is wrapped in a subshell that automatically removes its temporary directory on exit, replacing explicit file deletion logic.

Changes

Cohort / File(s)	Summary
Temporary Directory Management tools/os_installers/apt.sh	Go, yq, and lsd installations refactored to use per-run temporary directories with trap cleanup on EXIT, replacing fixed-path downloads and explicit deletion steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit's ode to cleaner paths...

In temporary homes, installers now play,
With mktemp and trap to sweep files away,
No lingering artifacts left in the fold,
Just clean installations, as nature foretold! 🧹✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: fixing insecure temporary file handling in apt.sh, which matches the PR's core objective to replace hardcoded paths with secure mktemp-based temporary directories and cleanup traps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-apt-tmp-files-5700316690679871122

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/os_installers/apt.sh`:
- Around line 211-213: Add integrity checks before extracting/downloading
artifacts: for the Go download that uses variables GO_VERSION, TMP_DIR and the
wget/tar sequence, fetch the corresponding SHA256 file (or published checksum
URL), compute and compare sha256sum of "$TMP_DIR/go.tar.gz" and abort with an
error/log if mismatch before running sudo tar; for yq (the wget/curl usage
around the yq download and extract-checksum.sh reference) download the GitHub
release checksums asset, extract the expected checksum and verify the downloaded
binary similarly; for lsd (version 1.1.5) either pin and verify a hardcoded
sha256 computed from a vetted copy or verify the release tag via GPG signature
before installing; ensure failures stop the installer and log the
checksum/verification details.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 768b2641-247a-44e4-917d-c02c8337caf2

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and c8d7885.

📒 Files selected for processing (1)

• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Download/install lines in apt.sh =="
rg -n 'wget "https://(go\.dev/dl/go|github\.com/mikefarah/yq/releases/download|github\.com/lsd-rs/lsd/releases/download)|sudo (tar|mv|dpkg -i)' tools/os_installers/apt.sh

echo
echo "== Integrity verification primitives currently present in apt.sh =="
rg -n 'sha256sum|sha512sum|gpg|cosign|minisign' tools/os_installers/apt.sh || true

echo
echo "== Example published checksum file for lsd v1.1.5 =="
curl -fsSL https://github.com/lsd-rs/lsd/releases/download/v1.1.5/SHA256SUMS | rg 'lsd_1.1.5_amd64.deb'

Repository: kidchenko/dotfiles

Length of output: 2144

---

🏁 Script executed:

#!/bin/bash
# Extract version variables and broader context
rg -B5 -A5 'GO_VERSION|YQ_VERSION|LSD_VERSION' tools/os_installers/apt.sh | head -50

Repository: kidchenko/dotfiles

Length of output: 1252

---

🏁 Script executed:

#!/bin/bash
# Check if there's any pattern with checksums or signatures for these specific tools
rg -B10 -A10 'go\$\{GO_VERSION\}\.linux-amd64\.tar\.gz|yq_linux_amd64|lsd.*\.deb' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 1793

---

🌐 Web query:

Go language official releases checksums SHA256 verification golang.org

💡 Result:

The official Go language releases provide SHA256 checksums for verification on the downloads page at https://go.dev/dl/ (also accessible via https://golang.org/dl/ which redirects). SHA256 checksums are listed in tables for each stable release (e.g., go1.26.1, go1.26.0) alongside each binary file's details: filename, kind (source/archive/installer), OS/arch, size, and SHA256 checksum. Example for go1.26.1.src.tar.gz: 3172293d04b209dc1144698e7ba13f0477f6ba8c5ffd0be66c20fdbc9785dfbb (33MB, Source). Example for go1.26.1.darwin-amd64.tar.gz: 65773dab2f8cc4cd23d93ba6d0a805de150ca0b78378879292be0b903b8cdd08 (65MB, macOS x86-64 Archive). To verify: Download the binary from https://go.dev/dl/, compute its SHA256 hash locally, and compare against the listed checksum. SHA256 checksum files are also available directly from Google Cloud Storage, e.g., https://storage.googleapis.com/golang/go1.26.1.linux-amd64.tar.gz.sha256 containing just the hash. No PGP signatures are provided on the official page; verification relies on HTTPS + SHA256 checksums. The page notes: "After downloading a binary release suitable for your system, please follow the installation instructions." Current stable as of 2026-04-02: go1.26.1 (released 2026-03-05 per release history). To compute SHA256 in Go: package main import ( "crypto/sha256" "fmt" "io" "os" ) func main { f, _ := os.Open("go1.26.1.linux-amd64.tar.gz") defer f.Close h := sha256.New io.Copy(h, f) fmt.Printf("%x\n", h.Sum(nil)) }

Citations:

• 1: https://www.golang.org/dl/
• 2: https://go.dev/dl/
• 3: Provide download for checksum of go releases.  golang/go#68282
• 4: https://go.dev/doc/devel/release.html
• 5: http://vcs-test.golang.org/dl/

---

🌐 Web query:

yq mikefarah releases GitHub checksums verification

💡 Result:

Mike Farah's yq (https://github.com/mikefarah/yq) GitHub releases provide checksum verification files for all binary assets. Each release includes: - checksums: A file with multi-algorithm checksums (CRC32, MD5, SHA1, etc.) for every download asset, space-separated in a fixed order. - checksums_hashes_order: Lists the order of hash algorithms used in the checksums file. - extract-checksum.sh: A bash script to extract a specific hash (e.g., SHA-256) for a given file. To verify a download (e.g., yq_linux_amd64.tar.gz from v4.52.5): 1. Download the binary, checksums, checksums_hashes_order, and extract-checksum.sh from the release page (https://github.com/mikefarah/yq/releases/tag/v4.52.5). 2. Run: ./extract-checksum.sh SHA-256 yq_linux_amd64.tar.gz This outputs: yq_linux_amd64.tar.gz <sha256_hash> 3. Verify with a tool: rhash -c - or sha256sum -c - Example: ./extract-checksum.sh SHA-256 yq_linux_amd64.tar.gz | sha256sum -c - This confirms the download matches the official release assets. The system supports multiple hashes for flexibility across tools. Latest release as of 2026-04-02: v4.52.5 (2026-03-25). Some releases also include checksums-bsd for direct use with sha256sum etc.

Citations:

• 1: https://github.com/mikefarah/yq/blob/master/scripts/extract-checksum.sh
• 2: Please publish file hashes with releases mikefarah/yq#801
• 3: rhash is failing verification on the new release mikefarah/yq#1011
• 4: https://github.com/mikefarah/yq/releases
• 5: https://github.com/mikefarah/yq/releases/tag/v4.52.5
• 6: https://github.com/mikefarah/yq/releases/tag/v4.52.4

---

🌐 Web query:

lsd-rs releases GitHub checksums publication

💡 Result:

lsd-rs (lsd, the next gen ls command in Rust) publishes releases on GitHub at https://github.com/lsd-rs/lsd/releases. Each release includes precompiled binaries for Linux, macOS, and Windows (e.g., 28 assets for v1.1.2), source code as zip and tar.gz, and deb packages. Tags are GPG-signed (though some keys expired), providing cryptographic verification for tags/commits. No checksum files (e.g., checksums.sha256, SHA256SUMS) or published hashes for binaries are present in release notes or assets based on available data. Users must compute checksums locally (e.g., sha256sum) to verify downloads against potential future published values or use GitHub's asset integrity features. Latest release: v1.2.0 (Oct 2025).

Citations:

• 1: https://github.com/lsd-rs/lsd/releases
• 2: https://github.com/lsd-rs/lsd/tags
• 3: https://github.com/lsd-rs/lsd
• 4: https://lib.rs/crates/lsd

---

Add integrity verification before installing downloaded artifacts.

Lines 211–213, 240–242, and 253–254 download binaries directly without checksum or signature verification. Go and yq have published checksums available; lsd does not—all three should be verified before installation.

Go 1.23.4: SHA256 checksums are published at https://go.dev/dl/ and https://storage.googleapis.com/golang/go1.23.4.linux-amd64.tar.gz.sha256

yq v4.44.6: Checksums file available in GitHub release assets; extract via the provided extract-checksum.sh script

lsd 1.1.5: No published checksums; either pin a locally-computed hash or verify the GPG-signed release tag

🔐 Suggested pattern (pin and verify checksums)

+verify_sha256() {
+    local expected="$1"
+    local file="$2"
+    echo "${expected}  ${file}" | sha256sum -c -
+}
+
 (
     TMP_DIR="$(mktemp -d)"
     trap 'rm -rf "$TMP_DIR"' EXIT
     GO_VERSION="1.23.4"
+    GO_SHA256="<official-go.dev/dl-checksum>"
     wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
+    verify_sha256 "$GO_SHA256" "$TMP_DIR/go.tar.gz"
     sudo rm -rf /usr/local/go
     sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
 )

Apply the same pattern for yq using the GitHub release checksums file, and for lsd either pin a locally-verified hash or use GPG tag verification from the release.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 211 - 213, Add integrity checks
before extracting/downloading artifacts: for the Go download that uses variables
GO_VERSION, TMP_DIR and the wget/tar sequence, fetch the corresponding SHA256
file (or published checksum URL), compute and compare sha256sum of
"$TMP_DIR/go.tar.gz" and abort with an error/log if mismatch before running sudo
tar; for yq (the wget/curl usage around the yq download and extract-checksum.sh
reference) download the GitHub release checksums asset, extract the expected
checksum and verify the downloaded binary similarly; for lsd (version 1.1.5)
either pin and verify a hardcoded sha256 computed from a vetted copy or verify
the release tag via GPG signature before installing; ensure failures stop the
installer and log the checksum/verification details.