🛡️ Sentinel: [CRITICAL] Fix predictable temporary file path vulnerability

[kidchenko]

🚨 Severity: CRITICAL
💡 Vulnerability: A package installation script (tools/os_installers/apt.sh) previously downloaded the yq binary to a hardcoded, predictable temporary file path (/tmp/yq) before calling sudo mv. This setup exposes the system to Time-of-Check to Time-of-Use (TOCTOU) and symlink attacks, potentially leading to arbitrary file overwriting or local privilege escalation.
🎯 Impact: An attacker with local access could predict the path, overwrite yq before it is moved, and inject a malicious binary into /usr/local/bin, thereby executing arbitrary code with elevated privileges.
🔧 Fix: Modified the script to utilize mktemp -d within a subshell ((...)), ensuring the directory is created securely. Added trap 'rm -rf "$TMP_DIR"' EXIT for safe and localized cleanup without disrupting global traps.
✅ Verification:

• Verify that tools/os_installers/apt.sh no longer references /tmp/yq.
• Check that the yq installation uses mktemp -d within a subshell with proper traps.
• Ensure the repository passes validation checks (./build.sh).
• Verify .jules/sentinel.md has been updated with the corresponding security lesson.

---

PR created automatically by Jules for task 10709256194709934029 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Fixed a security vulnerability in the package installation process where temporary files were stored in a predictable location vulnerable to symlink attacks. The installer now uses securely generated temporary directories that are automatically cleaned up.

• Documentation

  • Added vulnerability documentation entry for tracking purposes.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A security vulnerability in the apt.sh installer script is documented in a new sentinel entry and fixed. The vulnerability involves downloading a yq binary to a predictable temporary path (/tmp/yq), creating a TOCTOU and symlink attack risk. The fix uses mktemp -d for secure temporary directory creation and ensures cleanup via a trap handler.

Changes

Cohort / File(s)	Summary
Vulnerability Documentation .jules/sentinel.md	Added sentinel entry dated 2025-04-04 documenting TOCTOU and symlink vulnerabilities in the yq installer, including recommended mitigation strategies.
Security Fix tools/os_installers/apt.sh	Replaced predictable /tmp/yq temporary path with a securely generated temporary directory via mktemp -d, added trap cleanup handler to remove the directory on script exit.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through /tmp with care,
No more predictable paths laid bare,
With mktemp -d and trap's embrace,
Security finds its safest place! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fix: addressing a predictable temporary file path vulnerability in apt.sh by implementing secure temporary directory handling.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-apt-temp-file-10709256194709934029

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Change the markdown to start with a single top-level heading
and a blank line: replace the first line "## 2025-04-04 - Predictable Temporary
File Path Vulnerability in Package Download" with "# 2025-04-04 - Predictable
Temporary File Path Vulnerability in Package Download" and insert an empty line
after it; then wrap or break the long sentences in the body (the lines
describing Vulnerability, Learning, and Prevention) to 80 characters or fewer
per line so each paragraph adheres to the line-length limit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 23e99ded-5bc2-4563-aad9-5d93ede88fac

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and 2ce5c1f.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdown linting failures.

The static analysis pipeline is failing due to markdown formatting issues:

• Line 1: Should start with a top-level heading (#) and have a blank line after it
• Lines 2-4: Exceed 80 character line length limit

📝 Proposed fix for markdown formatting

-## 2025-04-04 - Predictable Temporary File Path Vulnerability in Package Download
-**Vulnerability:** A package install script (`tools/os_installers/apt.sh`) downloaded the `yq` binary to a hardcoded, predictable temporary file path (`/tmp/yq`) before moving it to its final destination with elevated privileges (`sudo mv`).
-**Learning:** Hardcoded temporary paths in shared directories (like `/tmp`) are vulnerable to Time-of-Check to Time-of-Use (TOCTOU) and symlink attacks, potentially allowing an attacker to overwrite arbitrary files or escalate privileges.
-**Prevention:** Always use securely generated random directories (e.g., `mktemp -d`) for temporary files. Wrap the temporary operations in a subshell `(...)` and use `trap 'rm -rf "$TMP_DIR"' EXIT` to ensure the directory is automatically and safely cleaned up, without overriding global script traps.
+# Sentinel Security Learnings
+
+## 2025-04-04 - Predictable Temporary File Path Vulnerability in Package Download
+
+**Vulnerability:** A package install script (`tools/os_installers/apt.sh`)
+downloaded the `yq` binary to a hardcoded, predictable temporary file path
+(`/tmp/yq`) before moving it to its final destination with elevated privileges
+(`sudo mv`).
+
+**Learning:** Hardcoded temporary paths in shared directories (like `/tmp`) are
+vulnerable to Time-of-Check to Time-of-Use (TOCTOU) and symlink attacks,
+potentially allowing an attacker to overwrite arbitrary files or escalate
+privileges.
+
+**Prevention:** Always use securely generated random directories (e.g.,
+`mktemp -d`) for temporary files. Wrap the temporary operations in a subshell
+`(...)` and use `trap 'rm -rf "$TMP_DIR"' EXIT` to ensure the directory is
+automatically and safely cleaned up, without overriding global script traps.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2025-04-04 - Predictable Temporary File Path Vulnerability in Package Download
	**Vulnerability:** A package install script (`tools/os_installers/apt.sh`) downloaded the `yq` binary to a hardcoded, predictable temporary file path (`/tmp/yq`) before moving it to its final destination with elevated privileges (`sudo mv`).
	**Learning:** Hardcoded temporary paths in shared directories (like `/tmp`) are vulnerable to Time-of-Check to Time-of-Use (TOCTOU) and symlink attacks, potentially allowing an attacker to overwrite arbitrary files or escalate privileges.
	**Prevention:** Always use securely generated random directories (e.g., `mktemp -d`) for temporary files. Wrap the temporary operations in a subshell `(...)` and use `trap 'rm -rf "$TMP_DIR"' EXIT` to ensure the directory is automatically and safely cleaned up, without overriding global script traps.
	# Sentinel Security Learnings
	## 2025-04-04 - Predictable Temporary File Path Vulnerability in Package Download
	**Vulnerability:** A package install script (`tools/os_installers/apt.sh`)
	downloaded the `yq` binary to a hardcoded, predictable temporary file path
	(`/tmp/yq`) before moving it to its final destination with elevated privileges
	(`sudo mv`).
	**Learning:** Hardcoded temporary paths in shared directories (like `/tmp`) are
	vulnerable to Time-of-Check to Time-of-Use (TOCTOU) and symlink attacks,
	potentially allowing an attacker to overwrite arbitrary files or escalate
	privileges.
	**Prevention:** Always use securely generated random directories (e.g.,
	`mktemp -d`) for temporary files. Wrap the temporary operations in a subshell
	`(...)` and use `trap 'rm -rf "$TMP_DIR"' EXIT` to ensure the directory is
	automatically and safely cleaned up, without overriding global script traps.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 301] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 238] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 241] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-04-04 - Predictable Te..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-04-04 - Predictable Temporary File Path Vulnerability in Package Download"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Change the markdown to start with a
single top-level heading and a blank line: replace the first line "## 2025-04-04
- Predictable Temporary File Path Vulnerability in Package Download" with "#
2025-04-04 - Predictable Temporary File Path Vulnerability in Package Download"
and insert an empty line after it; then wrap or break the long sentences in the
body (the lines describing Vulnerability, Learning, and Prevention) to 80
characters or fewer per line so each paragraph adheres to the line-length limit.