From 45793f036f6b10b5fb626b95c91a4b7ab01e04a6 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 04:52:41 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20predictable=20temporary=20file=20vulnerability=20(syml?=
 =?UTF-8?q?ink=20attack)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `tools/os_installers/apt.sh` script previously downloaded the `yq` binary to a predictable, hardcoded path `/tmp/yq`. Since `/tmp` is world-writable, this could lead to local privilege escalation via a symlink attack because `yq` was later moved to `/usr/local/bin/yq` utilizing `sudo`.

Replaced the hardcoded predictable path by using `mktemp -d` to generate a secure, temporary directory, and recorded this critical security learning in `.jules/sentinel.md`.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md         | 4 ++++
 tools/os_installers/apt.sh | 6 ++++--
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..5644c81
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-18 - [Predictable Temporary File Vulnerability]
+**Vulnerability:** Predictable temporary file path `/tmp/yq` used in `tools/os_installers/apt.sh` to download and install `yq` as root.
+**Learning:** Hardcoding a predictable file path in the world-writable directory `/tmp` could allow an attacker to launch a symlink attack or pre-create the file to gain privilege escalation when the script later runs `sudo mv /tmp/yq /usr/local/bin/yq`. This is especially dangerous in setup scripts that may be run by different users or multiple times.
+**Prevention:** Always use `mktemp` (e.g., `mktemp -d`) to create secure, unpredictable temporary directories or files when downloading artifacts or storing intermediate data, especially if they are going to be accessed by `sudo` later.
\ No newline at end of file
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..15e9bfc 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -231,9 +231,11 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
+    TMP_DIR="$(mktemp -d)"
+    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+    sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
     sudo chmod +x /usr/local/bin/yq
+    rm -rf "$TMP_DIR"
 fi
 
 # Install lsd (LSDeluxe)