From 2d026209a6037e3901b95f25570f62ea5632d0a3 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sun, 8 Mar 2026 05:09:46 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20insecure=20temporary=20file=20paths?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replaced hardcoded predictable `/tmp/yq` path with securely generated `mktemp -d` directories in `tools/os_installers/apt.sh`.
- Prevents local privilege escalation and symlink attacks when executing script with `sudo`.
- Documented learning in `.jules/sentinel.md`.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md         |  4 ++++
 tools/os_installers/apt.sh | 13 ++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..6abeee9
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-18 - Insecure Temporary File Path
+**Vulnerability:** Hardcoded predictable temporary file paths (e.g., `/tmp/yq`) in shell scripts executing with elevated privileges (`sudo`).
+**Learning:** Using predictable paths allows local privilege escalation and symlink attacks. Attackers can pre-create symlinks pointing to critical system files.
+**Prevention:** Always use securely generated random directories like `mktemp -d` to handle temporary files securely.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..16fa777 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -231,18 +231,21 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
+    TMP_DIR=$(mktemp -d)
+    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+    sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
     sudo chmod +x /usr/local/bin/yq
+    rm -rf "$TMP_DIR"
 fi
 
 # Install lsd (LSDeluxe)
 echo "Installing lsd..."
 if ! command -v lsd &> /dev/null; then
     LSD_VERSION="1.1.5"
-    wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
-    sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
-    rm "lsd_${LSD_VERSION}_amd64.deb"
+    TMP_DIR=$(mktemp -d)
+    wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb"
+    sudo dpkg -i "$TMP_DIR/lsd.deb"
+    rm -rf "$TMP_DIR"
 fi
 
 # Install Tesseract OCR