Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix insecure temporary file usage #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix insecure temporary file usage #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-03-07 - [Fix Insecure ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and current working directory downloads during package installation in `tools/os_installers/apt.sh`.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 168] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Using predictable paths like `/tmp/filename` allows local privilege escalation and symlink attacks. Downloading directly to the current working directory is untidy and may leave artifacts behind or conflict with existing files.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 241] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always use securely generated temporary directories like `mktemp -d` to handle downloads and intermediate files during scripts.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 143] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Correct the date and heading format so docs lint passes.

This entry is dated 2025-03-07, but the PR was opened on March 7, 2026. The same block also hits MD041/MD022/MD013, so the docs lint job will stay red until the heading is promoted to H1, blank lines are added, and the prose is wrapped.

Proposed fix 
-## 2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]
-**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and current working directory downloads during package installation in `tools/os_installers/apt.sh`.
-**Learning:** Using predictable paths like `/tmp/filename` allows local privilege escalation and symlink attacks. Downloading directly to the current working directory is untidy and may leave artifacts behind or conflict with existing files.
-**Prevention:** Always use securely generated temporary directories like `mktemp -d` to handle downloads and intermediate files during scripts.
+# 2026-03-07 - Fix insecure temporary file usage in OS installers
+
+**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and
+current-working-directory downloads during package installation in
+`tools/os_installers/apt.sh`.
+
+**Learning:** Using predictable paths like `/tmp/filename` allows local
+privilege escalation and symlink attacks. Downloading directly to the current
+working directory is untidy and may leave artifacts behind or conflict with
+existing files.
+
+**Prevention:** Always use securely generated temporary directories like
+`mktemp -d` to handle downloads and intermediate files during scripts.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]
**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and current working directory downloads during package installation in `tools/os_installers/apt.sh`.
**Learning:** Using predictable paths like `/tmp/filename` allows local privilege escalation and symlink attacks. Downloading directly to the current working directory is untidy and may leave artifacts behind or conflict with existing files.
**Prevention:** Always use securely generated temporary directories like `mktemp -d` to handle downloads and intermediate files during scripts.
# 2026-03-07 - Fix insecure temporary file usage in OS installers
**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and
current-working-directory downloads during package installation in
`tools/os_installers/apt.sh`.
**Learning:** Using predictable paths like `/tmp/filename` allows local
privilege escalation and symlink attacks. Downloading directly to the current
working directory is untidy and may leave artifacts behind or conflict with
existing files.
**Prevention:** Always use securely generated temporary directories like
`mktemp -d` to handle downloads and intermediate files during scripts.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 143] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 241] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 168] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-03-07 - [Fix Insecure ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Update the dated entry header
"2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]" to the
correct PR date (2026-03-07), promote that heading to H1 (prepend a single "#
"), ensure there is a blank line above and below the heading, and reflow the
prose paragraphs in that block so lines are wrapped to the repo's preferred
width (fixing MD013) and satisfy MD022/MD041 heading-level and blank-line rules.

20 changes: 12 additions & 8 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,10 +205,11 @@ fi
echo "Installing Go..."
if ! command -v go &> /dev/null; then
GO_VERSION="1.23.4"
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
TMP_DIR=$(mktemp -d)
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
rm "go${GO_VERSION}.linux-amd64.tar.gz"
sudo tar -C /usr/local -xzf "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
rm -rf "$TMP_DIR"
Comment on lines +208 to +212
Copy link

@coderabbitai coderabbitai bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Verify release artifacts before installing them.

These blocks still unpack or install vendor binaries directly from the network. If an upstream release asset is tampered with, this script will promote attacker-controlled content into privileged locations. Please verify the official checksum or signature for Go, yq, and lsd before tar, mv, or dpkg.

Also applies to: 235-239, 246-249

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 208 - 212, The script currently
downloads and unpacks remote release artifacts (see TMP_DIR, GO_VERSION, wget
and sudo tar usage) without verifying integrity; change each install block (Go,
yq, lsd and any dpkg installs) to fetch the official checksum or signature file
from the vendor, verify the downloaded archive using sha256sum (or gpg/openssl
signature verification for signed releases), fail and exit if the verification
fails, and only then proceed to extract or install (tar, dpkg, mv); ensure
verification uses the vendor-provided URL and that TMP_DIR cleanup still runs on
both success and failure.

echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
fi

Expand All @@ -231,18 +232,21 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
TMP_DIR=$(mktemp -d)
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
rm -rf "$TMP_DIR"
fi

# Install lsd (LSDeluxe)
echo "Installing lsd..."
if ! command -v lsd &> /dev/null; then
LSD_VERSION="1.1.5"
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
rm "lsd_${LSD_VERSION}_amd64.deb"
TMP_DIR=$(mktemp -d)
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "$TMP_DIR/lsd_${LSD_VERSION}_amd64.deb"
rm -rf "$TMP_DIR"
fi

# Install Tesseract OCR
Expand Down
Loading