Skip to content

🛡️ Sentinel: [CRITICAL] Fix predictable temporary file vulnerability (symlink attack) #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [CRITICAL] Fix predictable temporary file vulnerability (symlink attack) #53

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-05-18 - [Predictable Temporary File Vulnerability]

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-18 - [Predictable T..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-18 - [Predictable Temporary File Vulnerability]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** Predictable temporary file path `/tmp/yq` used in `tools/os_installers/apt.sh` to download and install `yq` as root.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 135] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Hardcoding a predictable file path in the world-writable directory `/tmp` could allow an attacker to launch a symlink attack or pre-create the file to gain privilege escalation when the script later runs `sudo mv /tmp/yq /usr/local/bin/yq`. This is especially dangerous in setup scripts that may be run by different users or multiple times.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 354] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always use `mktemp` (e.g., `mktemp -d`) to create secure, unpredictable temporary directories or files when downloading artifacts or storing intermediate data, especially if they are going to be accessed by `sudo` later.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 236] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix the markdownlint failures in this advisory.

This file currently fails the docs lint job: Line 1 needs an H1 with surrounding blank lines, and Lines 2-4 exceed the configured 80-column limit.

Suggested markdown cleanup 
-## 2024-05-18 - [Predictable Temporary File Vulnerability]
-**Vulnerability:** Predictable temporary file path `/tmp/yq` used in `tools/os_installers/apt.sh` to download and install `yq` as root.
-**Learning:** Hardcoding a predictable file path in the world-writable directory `/tmp` could allow an attacker to launch a symlink attack or pre-create the file to gain privilege escalation when the script later runs `sudo mv /tmp/yq /usr/local/bin/yq`. This is especially dangerous in setup scripts that may be run by different users or multiple times.
-**Prevention:** Always use `mktemp` (e.g., `mktemp -d`) to create secure, unpredictable temporary directories or files when downloading artifacts or storing intermediate data, especially if they are going to be accessed by `sudo` later.
+# 2024-05-18 - Predictable Temporary File Vulnerability
+
+**Vulnerability:** Predictable temporary file path `/tmp/yq` used in
+`tools/os_installers/apt.sh` to download and install `yq` as root.
+
+**Learning:** Hardcoding a predictable file path in the world-writable
+directory `/tmp` could allow an attacker to launch a symlink attack or
+pre-create the file to gain privilege escalation when the script later runs
+`sudo mv /tmp/yq /usr/local/bin/yq`. This is especially dangerous in setup
+scripts that may be run by different users or multiple times.
+
+**Prevention:** Always use `mktemp` (e.g., `mktemp -d`) to create secure,
+unpredictable temporary directories or files when downloading artifacts or
+storing intermediate data, especially if they will be accessed by `sudo`
+later.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2024-05-18 - [Predictable Temporary File Vulnerability]
**Vulnerability:** Predictable temporary file path `/tmp/yq` used in `tools/os_installers/apt.sh` to download and install `yq` as root.
**Learning:** Hardcoding a predictable file path in the world-writable directory `/tmp` could allow an attacker to launch a symlink attack or pre-create the file to gain privilege escalation when the script later runs `sudo mv /tmp/yq /usr/local/bin/yq`. This is especially dangerous in setup scripts that may be run by different users or multiple times.
**Prevention:** Always use `mktemp` (e.g., `mktemp -d`) to create secure, unpredictable temporary directories or files when downloading artifacts or storing intermediate data, especially if they are going to be accessed by `sudo` later.
# 2024-05-18 - Predictable Temporary File Vulnerability
**Vulnerability:** Predictable temporary file path `/tmp/yq` used in
`tools/os_installers/apt.sh` to download and install `yq` as root.
**Learning:** Hardcoding a predictable file path in the world-writable
directory `/tmp` could allow an attacker to launch a symlink attack or
pre-create the file to gain privilege escalation when the script later runs
`sudo mv /tmp/yq /usr/local/bin/yq`. This is especially dangerous in setup
scripts that may be run by different users or multiple times.
**Prevention:** Always use `mktemp` (e.g., `mktemp -d`) to create secure,
unpredictable temporary directories or files when downloading artifacts or
storing intermediate data, especially if they will be accessed by `sudo`
later.
🧰 Tools
🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 236] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 354] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 135] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-18 - [Predictable T..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-18 - [Predictable Temporary File Vulnerability]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🪛 LanguageTool

[style] ~4-~4: Use ‘will’ instead of ‘going to’ if the following action is certain.
Context: ...g intermediate data, especially if they are going to be accessed by sudo later.

(GOING_TO_WILL)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, The markdown fails linting: add a
top-level H1 header with a blank line before and after it, and wrap long lines
to ≤80 columns (break long sentences like the Vulnerability, Learning, and
Prevention lines into multiple shorter lines or use markdown lists) in
.jules/sentinel.md; ensure inline code/paths (e.g., `/tmp/yq`,
`tools/os_installers/apt.sh`, `mktemp`) remain as inline code and that the
advisory still contains the same content but with lines wrapped and proper
header spacing.

6 changes: 4 additions & 2 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,9 +231,11 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
TMP_DIR="$(mktemp -d)"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
rm -rf "$TMP_DIR"
fi

# Install lsd (LSDeluxe)
Expand Down
Loading