🛡️ Sentinel: [CRITICAL] Fix predictable temporary file vulnerability in apt.sh

[kidchenko]

🛡️ Sentinel: [CRITICAL] Fix predictable temporary file vulnerability in apt.sh

🚨 Severity: CRITICAL
💡 Vulnerability: Predictable temporary file path and unsafe working directory downloading allows for symlink attacks and race conditions when downloading system binaries.
🎯 Impact: Attackers could potentially overwrite system binaries before they get moved with sudo during the installation, leading to local privilege escalation.
🔧 Fix: Wrapped download and extraction steps inside a subshell using securely created TMP_DIR=$(mktemp -d) and a local trap for guaranteed cleanup.
✅ Verification: Ran syntax checking and ./build.sh suite to verify tests pass and no shellcheck errors are introduced. Verified .jules/sentinel.md learnings were recorded appropriately.

---

PR created automatically by Jules for task 6679598384118755452 started by @kidchenko

Summary by CodeRabbit

• Security

  • Improved installation process for Go, yq, lsd, and Composer with secure temporary directory handling and automatic cleanup to prevent file poisoning and race condition exploits.

• Documentation

  • Added security guidance documentation detailing vulnerability scenarios in installer scripts and providing remediation practices for safe temporary file handling.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new security documentation file is added describing TOCTOU vulnerabilities in installer scripts, followed by updates to the apt.sh installer to use secure temporary directories created via mktemp with automatic cleanup via trap handlers for Go, yq, lsd, and Composer installations.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New journal entry documenting TOCTOU and symlink poisoning vulnerabilities in installers using predictable temp locations, with remediation guidance to use mktemp -d and trap-based cleanup.
Installer Script Hardening tools/os_installers/apt.sh	Updated Go, yq, lsd, and Composer installation blocks to execute downloads within isolated mktemp directories in subshells with trap EXIT cleanup handlers, eliminating explicit file/directory removals.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 In /tmp where dangers lurk and symlinks lay,
We hop to safety with mktemp today!
Traps spring shut on exit so clean,
No leftover files to be seen—
Secure installers, a rabbit's delight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: fixing a critical predictable temporary file vulnerability in apt.sh, which is the primary focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-apt-temp-file-vuln-6679598384118755452

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/os_installers/apt.sh`:
- Around line 212-214: The Go, YQ, and LSD install blocks currently download
artifacts (e.g., "go${GO_VERSION}.linux-amd64.tar.gz", yq and lsd tarballs) and
run privileged extraction without verification; modify each block to first
download the corresponding checksum and/or GPG signature from the official
release, import and trust the vendor's GPG key if a signature is provided,
verify the signature or validate the SHA256 checksum against the downloaded
artifact, and only then perform the sudo rm -rf /usr/local/go and sudo tar -C
/usr/local -xzf steps; ensure you reference the existing variables like
GO_VERSION and the exact filenames used by wget when implementing the
verification so the verification step matches the artifact filenames.
- Around line 276-280: The else branch that handles the checksum mismatch
currently only prints an error and allows the subshell to continue; update the
checksum failure handling so the subshell exits with a non-zero status (e.g.,
call exit 1) after echoing the error to stderr, ensuring the failure of the
EXPECTED_CHECKSUM vs ACTUAL_CHECKSUM check (and the composer-setup.php integrity
check) stops the install flow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1b78f927-94da-4f5f-a833-6daa03db6280

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and bea6025.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify current download/install paths do not enforce artifact integrity checks
rg -n -C3 'GO_VERSION|YQ_VERSION|LSD_VERSION|wget|tar -C /usr/local -xzf|sudo mv yq|sudo dpkg -i|sha256sum|gpg --verify' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 1817

---

Add cryptographic verification before privileged installs.

GO, YQ, and LSD installations (lines 212–214, 242–244, 256–257) download release artifacts and install them with sudo without checksum or signature validation. The Terraform installation pattern (line 222) shows how GPG verification can be used; apply similar verification to these three tools.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 212 - 214, The Go, YQ, and LSD
install blocks currently download artifacts (e.g.,
"go${GO_VERSION}.linux-amd64.tar.gz", yq and lsd tarballs) and run privileged
extraction without verification; modify each block to first download the
corresponding checksum and/or GPG signature from the official release, import
and trust the vendor's GPG key if a signature is provided, verify the signature
or validate the SHA256 checksum against the downloaded artifact, and only then
perform the sudo rm -rf /usr/local/go and sudo tar -C /usr/local -xzf steps;
ensure you reference the existing variables like GO_VERSION and the exact
filenames used by wget when implementing the verification so the verification
step matches the artifact filenames.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mismatch branch currently does not return non-zero
nl -ba tools/os_installers/apt.sh | sed -n '268,282p'

Repository: kidchenko/dotfiles

Length of output: 102

---

🏁 Script executed:

cat -n tools/os_installers/apt.sh | sed -n '268,282p'

Repository: kidchenko/dotfiles

Length of output: 809

---

🏁 Script executed:

cat -n tools/os_installers/apt.sh | sed -n '260,290p'

Repository: kidchenko/dotfiles

Length of output: 1249

---

Exit the subshell when Composer checksum validation fails.

When the checksum validation fails at line 279, the subshell continues and exits successfully, allowing the script to proceed normally. On integrity failure, the subshell should exit with a non-zero code to prevent the installation from being treated as successful.

💡 Proposed fix

         if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
             sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
         else
             >&2 echo 'ERROR: Invalid installer checksum for Composer'
+            exit 1
         fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
	sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
	else
	>&2 echo 'ERROR: Invalid installer checksum for Composer'
	fi
	if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
	sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
	else
	>&2 echo 'ERROR: Invalid installer checksum for Composer'
	exit 1
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 276 - 280, The else branch that
handles the checksum mismatch currently only prints an error and allows the
subshell to continue; update the checksum failure handling so the subshell exits
with a non-zero status (e.g., call exit 1) after echoing the error to stderr,
ensuring the failure of the EXPECTED_CHECKSUM vs ACTUAL_CHECKSUM check (and the
composer-setup.php integrity check) stops the install flow.