From e9e9e332f98976083de945d516da23028964368f Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 13 Mar 2026 04:36:06 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20predictable=20tmp=20file=20path=20in=20apt.sh?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaced hardcoded `/tmp/yq` with a securely generated temp directory (`mktemp -d`) when downloading and installing `yq` in `tools/os_installers/apt.sh`. This prevents local privilege escalation and symlink attacks.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 tools/os_installers/apt.sh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..1f16578 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -231,9 +231,11 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
+    YQ_TMPDIR=$(mktemp -d)
+    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$YQ_TMPDIR/yq"
+    sudo mv "$YQ_TMPDIR/yq" /usr/local/bin/yq
     sudo chmod +x /usr/local/bin/yq
+    rm -rf "$YQ_TMPDIR"
 fi
 
 # Install lsd (LSDeluxe)