From 971cff617f00f0e0c6d27426373e1c5e8bdb15df Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 8 Apr 2026 04:53:15 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?=
 =?UTF-8?q?x=20TOCTOU=20vulnerability=20in=20SSH=20key=20generation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit fixes a Time-of-Check to Time-of-Use (TOCTOU) vulnerability
in `tools/setup-ssh-keys.sh` where SSH private keys were temporarily
written to disk with default permissions before being restricted.

By applying `umask 077` within a subshell during file creation, the keys
are safely created with `-rw-------` permissions from inception.

Also records this vulnerability learning in `.jules/sentinel.md`.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md      |  4 ++++
 tools/setup-ssh-keys.sh | 14 +++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..0c850a3
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-04-08 - [TOCTOU in SSH Key Generation]
+**Vulnerability:** SSH private keys were temporarily written to disk with default permissions before `chmod 600` was applied, creating a Time-of-Check to Time-of-Use (TOCTOU) vulnerability where other users could theoretically read the key in the brief window between creation and permission change.
+**Learning:** Shell redirection (`>`) creates files with default umask permissions. Applying `chmod` immediately after still leaves a race condition.
+**Prevention:** Shell scripts handling sensitive data must enforce strict access control using `umask 077` (globally or in a subshell) before file creation to prevent TOCTOU vulnerabilities.
diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh
index bde52fd..f7db0c9 100755
--- a/tools/setup-ssh-keys.sh
+++ b/tools/setup-ssh-keys.sh
@@ -152,13 +152,17 @@ cmd_restore() {
     mkdir -p "$SSH_DIR"
     chmod 700 "$SSH_DIR"
 
-    # Read private key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
-    chmod 600 "$PRIVATE_KEY_FILE"
+    # Read private key from 1Password and save locally (prevent TOCTOU)
+    (
+        umask 077
+        op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    )
 
     # Read public key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/public_key" > "$PUBLIC_KEY_FILE"
-    chmod 644 "$PUBLIC_KEY_FILE"
+    (
+        umask 022
+        op read "op://$VAULT/$KEY_NAME/public_key" > "$PUBLIC_KEY_FILE"
+    )
 
     say "SSH key restored to $SSH_DIR"
     echo ""