🛡️ Sentinel: [CRITICAL] Fix insecure temporary file and directory usage in apt.sh

[kidchenko]

🚨 Severity: CRITICAL
💡 Vulnerability: Predictable temporary file and current working directory usage when downloading executables in apt.sh.
🎯 Impact: Downloading files directly into the current directory or a predictable temporary path like /tmp/ without specific permissions can allow local privilege escalation or symlink attacks.
🔧 Fix: Use mktemp -d to create a secure temporary directory, wrap logic in a subshell (...) and set a cleanup trap trap 'rm -rf "$TMP_DIR"' EXIT for go, yq, lsd, and composer installations.
✅ Verification: Check that ./build.sh passes and no longer creates predictable files during execution.

---

PR created automatically by Jules for task 3117339337147531414 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Improved security of the installation process with better handling of temporary files and downloads to reduce file system pollution and cleanup issues.

• Chores

  • Added documentation on installer security considerations and preventive best practices.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A security vulnerability addressing predictable file creation and unsafe temporary directory usage is documented, and installer scripts are updated to create temporary directories using mktemp -d with EXIT trap-based cleanup instead of explicit deletion of downloaded artifacts in the working directory.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New Sentinel Journal entry documenting predictable file creation vulnerability and prevention strategy using mktemp -d with EXIT trap cleanup.
Package Installers tools/os_installers/apt.sh	Go, yq, lsd, and Composer installer sections refactored to perform downloads/extractions in temporary directories created via mktemp -d, with EXIT trap cleanup replacing explicit artifact removal.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Whiskers twitching with security delight,
Temp folders blooming in /tmp's embrace so tight,
No more breadcrumbs in directories wide,
Just magic traps that clean up with pride!
Safety hops forward, vulnerability takes flight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: fixing insecure temporary file/directory usage in apt.sh, which aligns with the core vulnerability fix documented in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-insecure-apt-downloads-3117339337147531414

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/os_installers/apt.sh`:
- Around line 276-280: The checksum failure branch currently only writes an
error to stderr and returns success; update the else branch that compares
EXPECTED_CHECKSUM and ACTUAL_CHECKSUM to abort the script on mismatch by exiting
with a non-zero status after printing the error (i.e., ensure the block handling
'ERROR: Invalid installer checksum for Composer' exits immediately), so the
installer (composer-setup.php) will not be run when the checksum validation
fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5696b8fa-ba05-436e-9442-80c2ca4aaa03

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and 6c583be.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mismatch branch currently does not fail non-zero.
awk 'NR>=268 && NR<=281 {print NR ":" $0}' tools/os_installers/apt.sh
echo "---- non-zero exits in mismatch branch ----"
awk 'NR>=276 && NR<=280 {print}' tools/os_installers/apt.sh | rg -n 'exit\s+[1-9]|return\s+[1-9]' || true

Repository: kidchenko/dotfiles

Length of output: 801

---

🏁 Script executed:

# Check broader context: what's before and after this block
head -270 tools/os_installers/apt.sh | tail -30

# Check what happens after line 281
sed -n '268,290p' tools/os_installers/apt.sh

# Check if script uses set -e
head -20 tools/os_installers/apt.sh | grep -E '^\s*set\s+-[a-z]'

# Check the full function/context name
sed -n '250,290p' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 3031

---

Add explicit exit on Composer checksum validation failure.

The script only logs an error on checksum mismatch but exits with status 0, allowing subsequent commands to execute. This bypasses the integrity validation and continues setup with a potentially compromised installer.

🔧 Proposed fix

         if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
             sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
         else
             >&2 echo 'ERROR: Invalid installer checksum for Composer'
+            exit 1
         fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
	sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
	else
	>&2 echo 'ERROR: Invalid installer checksum for Composer'
	fi
	if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
	sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
	else
	>&2 echo 'ERROR: Invalid installer checksum for Composer'
	exit 1
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 276 - 280, The checksum failure
branch currently only writes an error to stderr and returns success; update the
else branch that compares EXPECTED_CHECKSUM and ACTUAL_CHECKSUM to abort the
script on mismatch by exiting with a non-zero status after printing the error
(i.e., ensure the block handling 'ERROR: Invalid installer checksum for
Composer' exits immediately), so the installer (composer-setup.php) will not be
run when the checksum validation fails.