From 798d866cd4a26b562587d93daf6ac6f9256cad4c Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 10 Mar 2026 04:54:46 +0000
Subject: [PATCH] fix(security): prevent symlink attack in apt.sh during yq
 installation

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md         | 4 ++++
 tools/os_installers/apt.sh | 6 ++++--
 2 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..8a2bf87
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-24 - Predictable Temporary File Path in Sudo Operations
+**Vulnerability:** The script `tools/os_installers/apt.sh` downloaded `yq` to a hardcoded predictable temporary path (`/tmp/yq`) and then moved it using elevated privileges (`sudo mv`). This could be exploited via a symlink attack for local privilege escalation.
+**Learning:** Hardcoded `/tmp/` files used with elevated privileges expose systems to symlink attacks, a pattern observed in the OS installation scripts.
+**Prevention:** Always use securely generated random directories like `mktemp -d` to stage downloaded files before performing elevated operations.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..7905e9b 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -231,8 +231,10 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
+    TMP_DIR=$(mktemp -d)
+    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+    sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
+    rm -rf "$TMP_DIR"
     sudo chmod +x /usr/local/bin/yq
 fi