Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix predictable temp file vulnerability in apt.sh #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix predictable temp file vulnerability in apt.sh #57

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,9 +231,11 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
YQ_TMPDIR=$(mktemp -d)
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$YQ_TMPDIR/yq"
sudo mv "$YQ_TMPDIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
rm -rf "$YQ_TMPDIR"
Comment on lines +234 to +238
Copy link

@coderabbitai coderabbitai bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ› οΈ Refactor suggestion | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether yq temp-dir cleanup is protected by trap.
rg -n -C2 'YQ_TMPDIR|trap .*YQ_TMPDIR|wget .*yq_linux_amd64|sudo mv .*yq|rm -rf "\$YQ_TMPDIR"' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 406

🏁 Script executed:

head -20 tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 579

🏁 Script executed:

grep -n "set -e\|set -o errexit" tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 70

🏁 Script executed:

sed -n '230,240p' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 407

Add trap to guarantee temp dir cleanup on failure.

With set -e active (line 7), if wget or sudo mv fails at lines 235–236, the script exits immediately and skips the cleanup at line 238, orphaning the temporary directory. Use a trap to ensure cleanup runs unconditionally:

Proposed fix 
     YQ_TMPDIR=$(mktemp -d)
+    trap 'rm -rf "$YQ_TMPDIR"' EXIT
     wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$YQ_TMPDIR/yq"
     sudo mv "$YQ_TMPDIR/yq" /usr/local/bin/yq
     sudo chmod +x /usr/local/bin/yq
-    rm -rf "$YQ_TMPDIR"
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
YQ_TMPDIR=$(mktemp -d)
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$YQ_TMPDIR/yq"
sudo mv "$YQ_TMPDIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
rm -rf "$YQ_TMPDIR"
YQ_TMPDIR=$(mktemp -d)
trap 'rm -rf "$YQ_TMPDIR"' EXIT
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$YQ_TMPDIR/yq"
sudo mv "$YQ_TMPDIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 234 - 238, The temporary dir
YQ_TMPDIR created by mktemp can be orphaned if wget or sudo mv fails due to set
-e; add a trap immediately after creating YQ_TMPDIR to run rm -rf "$YQ_TMPDIR"
on EXIT (and optionally on INT/TERM) so cleanup always runs, ensure mktemp
success is checked before setting the trap, and if you need to preserve the
directory on success remove or reset the trap after the mv/chmod steps;
reference the YQ_TMPDIR variable and the sequence around mktemp, wget, sudo mv,
sudo chmod and rm -rf to locate where to add the trap.

fi

# Install lsd (LSDeluxe)
Expand Down
Loading