🛡️ Sentinel: [HIGH] Fix insecure temporary file usage in apt.sh

[kidchenko]

🛡️ Sentinel: [HIGH] Fix insecure temporary file usage in apt.sh

🚨 Severity: HIGH
💡 Vulnerability: Predictable temporary file path /tmp/yq used during the download and installation of yq.
🎯 Impact: Hardcoding /tmp/yq allows a malicious local user to pre-create /tmp/yq (e.g., as a symlink or with specific permissions), leading to potential privilege escalation or overriding of arbitrary files when sudo mv /tmp/yq /usr/local/bin/yq is executed.
🔧 Fix: Replaced the hardcoded /tmp/yq download and move logic with a subshell that creates a secure temporary directory using mktemp -d and implements an EXIT trap to guarantee cleanup.
✅ Verification: Ran ./build.sh (ShellCheck passed) and reviewed the patch.

---

PR created automatically by Jules for task 7306839158455040801 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Resolved a local privilege escalation vulnerability in the package installer that used predictable temporary file locations, exploitable by attackers on the same system.

• Documentation

  • Added security incident records documenting the vulnerability details and prevention guidance for similar issues.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A security vulnerability in the apt installer script is fixed by replacing hardcoded temporary file path /tmp/yq with a securely generated temporary directory via mktemp -d, along with an EXIT trap for automatic cleanup. The change is documented in a new vulnerability log.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New vulnerability report entry documenting the predictable temporary file usage issue in apt.sh, including attack vectors and remediation guidance.
Apt Installer Security Fix tools/os_installers/apt.sh	Modified script to use mktemp -d for creating a temporary directory instead of hardcoded /tmp/yq, with an EXIT trap registered for cleanup. Updated mv and chmod operations to reference the secure temporary path.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops through /tmp with care,
No symlinks hiding tricks there—
With mktemp now standing guard,
And cleanup traps working hard,
Our files are safe beyond compare! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing insecure temporary file usage in apt.sh as a security fix. It clearly identifies the file affected and the security issue being addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-apt-sh-tmp-yq-7306839158455040801

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Line 3: The journal entry header "## 2024-04-11 - [Insecure Temporary File
Usage for yq Download]" has the wrong year; update that header to "## 2026-04-11
- [Insecure Temporary File Usage for yq Download]" so the sentinel.md date
matches this PR event and preserves accurate audit history.

In `@tools/os_installers/apt.sh`:
- Around line 237-239: The download/install of yq (using YQ_VERSION and TMP_DIR
to write /usr/local/bin/yq) lacks integrity verification before running sudo
mv/chmod; add SHA256 verification by obtaining a trusted checksum (e.g. a
YQ_SHA256 variable or downloading the release checksum alongside the binary),
compute the downloaded file's sha256 (using sha256sum or shasum -a 256) and
compare it to the expected value, abort with a clear error if the check fails,
and only run sudo mv /usr/local/bin/yq and sudo chmod +x after the checksum
passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 00182116-8ffe-4753-a1c7-6b8b99280e07

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and 9a218bd.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the journal date to match this PR event.

The entry says 2024-04-11, but this PR is from 2026-04-11. Please correct the date to avoid audit/history confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md at line 3, The journal entry header "## 2024-04-11 -
[Insecure Temporary File Usage for yq Download]" has the wrong year; update that
header to "## 2026-04-11 - [Insecure Temporary File Usage for yq Download]" so
the sentinel.md date matches this PR event and preserves accurate audit history.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether the yq install flow includes integrity verification primitives.
rg -n -C3 'yq/releases/download|sha256sum|shasum|gpg|cosign' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 2629

---

🏁 Script executed:

# Check for any sha256 or sig file handling in the yq install block
rg -n -B10 -A5 'yq_linux_amd64' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 577

---

🏁 Script executed:

# Also check if there's a separate verification step after the download
rg -n -B2 -A10 'YQ_VERSION' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 715

---

Add integrity verification before privileged install of yq.

The script downloads an executable and installs it with sudo without checksum or signature validation. A compromised release artifact would be installed as root. While other tools in this script (GitHub CLI, Docker, Yarn, Terraform) use GPG key verification, yq bypasses this security practice. Add SHA256 verification before the privileged install:

Suggested hardening patch

 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
+    YQ_SHA256="<pin-sha256-for-yq_linux_amd64>"
     (
         TMP_DIR=$(mktemp -d)
         trap 'rm -rf "$TMP_DIR"' EXIT
         wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+        echo "${YQ_SHA256}  $TMP_DIR/yq" | sha256sum -c -
         sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
         sudo chmod +x /usr/local/bin/yq
     )
 fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
	sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
	sudo chmod +x /usr/local/bin/yq
	if ! command -v yq &> /dev/null; then
	YQ_VERSION="v4.44.6"
	YQ_SHA256="<pin-sha256-for-yq_linux_amd64>"
	(
	TMP_DIR=$(mktemp -d)
	trap 'rm -rf "$TMP_DIR"' EXIT
	wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
	echo "${YQ_SHA256} $TMP_DIR/yq" | sha256sum -c -
	sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
	sudo chmod +x /usr/local/bin/yq
	)
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 237 - 239, The download/install of
yq (using YQ_VERSION and TMP_DIR to write /usr/local/bin/yq) lacks integrity
verification before running sudo mv/chmod; add SHA256 verification by obtaining
a trusted checksum (e.g. a YQ_SHA256 variable or downloading the release
checksum alongside the binary), compute the downloaded file's sha256 (using
sha256sum or shasum -a 256) and compare it to the expected value, abort with a
clear error if the check fails, and only run sudo mv /usr/local/bin/yq and sudo
chmod +x after the checksum passes.