🛡️ Sentinel: [CRITICAL] Fix predictable temporary file vulnerability

[kidchenko]

🚨 Severity: CRITICAL
💡 Vulnerability: The apt.sh script downloaded executables to predictable paths (like /tmp/yq) and the current working directory before moving/executing them with sudo. This allowed attackers to pre-create files or symlinks, leading to Local Privilege Escalation (LPE) and file overwrite vulnerabilities.
🎯 Impact: A malicious local user could execute arbitrary attacker-controlled binaries via sudo or overwrite critical system files.
🔧 Fix: Updated the installation processes for Go, yq, lsd, and Composer to operate within a securely generated temporary directory (mktemp -d).
✅ Verification: Verified syntax and logic using ./build.sh lint.

---

PR created automatically by Jules for task 10419767231098031699 started by @kidchenko

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Installer now uses secure temporary directories for downloads, improving installation safety and preventing file path conflicts.

• Documentation

  • Added security documentation for shell script development best practices.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

New security documentation file added to highlight a vulnerability in shell script temporary file handling. The apt.sh installation script refactored to replace fixed, predictable temporary paths with securely-generated per-run temporary directories via mktemp -d, with deterministic cleanup of all downloaded artifacts.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New security note documenting predictable temporary file vulnerabilities in shell scripts, risks of Local Privilege Escalation, and recommendations for secure temporary directory usage with proper cleanup.
Secure Installation Script tools/os_installers/apt.sh	Refactored installation steps for Go, yq, lsd, and Composer to use per-run temporary directories via mktemp -d instead of fixed paths. All artifacts stored in $TMP_DIR and cleaned up after use; tar/dpkg/php invocations reference temporary file locations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hopping through scripts with care and delight,
Temporary paths now hidden from sight,
No more fixed folders for all to exploit,
mktemp creates safety—a SecOps's joy!
Cleanup assured, the files take flight. 🛡️✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change—fixing a critical predictable temporary file vulnerability in apt.sh. However, it uses an emoji and [CRITICAL] tag that add noise rather than clarity.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel-secure-downloads-10419767231098031699

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable sequence diagrams in the walkthrough.

Disable the reviews.sequence_diagrams setting to disable sequence diagrams in the walkthrough.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tools/os_installers/apt.sh (1)

208-212: Good use of mktemp -d for secure temporary directory.

The fix correctly addresses the predictable path vulnerability. However, if wget or tar fails (and set -e triggers an exit), the temporary directory won't be cleaned up.

Consider adding a trap at the start of each installation block or at the script level for more robust cleanup:

🛡️ Optional: Add trap for cleanup on error

 if ! command -v go &> /dev/null; then
     GO_VERSION="1.23.4"
     TMP_DIR=$(mktemp -d)
+    trap 'rm -rf "$TMP_DIR"' EXIT
     wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
     sudo rm -rf /usr/local/go
     sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
     rm -rf "$TMP_DIR"
+    trap - EXIT
     echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
 fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 208 - 212, The temporary directory
created by TMP_DIR=$(mktemp -d) may not be removed if wget or tar fail; add a
trap immediately after creating TMP_DIR to remove it on EXIT (and on ERR if
desired), e.g., set a trap that safely tests for TMP_DIR non-empty and existence
before rm -rf "$TMP_DIR", and clear the trap after successful cleanup; apply
this around the block using wget and tar so failures during those commands still
trigger cleanup while keeping TMP_DIR referenced exactly as in the current code.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Update the markdown to satisfy lint rules: change the
top-level heading from "## 2024-03-14 - [Predictable Temporary File
Vulnerabilities]" to use a single leading '#' and correct the date to
"2026-03-14", ensure there is a blank line after that heading, and reflow the
following bullet paragraphs (the vulnerability, learning, and prevention lines)
to keep line lengths under 80 characters (add line breaks and shorter sentences
as needed) so the file .jules/sentinel.md passes MD013 and the
heading/blank-line lint checks.

---

Nitpick comments:
In `@tools/os_installers/apt.sh`:
- Around line 208-212: The temporary directory created by TMP_DIR=$(mktemp -d)
may not be removed if wget or tar fail; add a trap immediately after creating
TMP_DIR to remove it on EXIT (and on ERR if desired), e.g., set a trap that
safely tests for TMP_DIR non-empty and existence before rm -rf "$TMP_DIR", and
clear the trap after successful cleanup; apply this around the block using wget
and tar so failures during those commands still trigger cleanup while keeping
TMP_DIR referenced exactly as in the current code.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1dca029e-fcf5-47d5-828c-5c9f7447551a

📥 Commits

Reviewing files that changed from the base of the PR and between cb5949a and 964bfcf.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdown lint violations to pass CI.

The documentation lint check is failing with multiple issues:

1. Line 1: First line should be a top-level heading (# instead of ##) and needs a blank line below it.
2. Lines 2-4: Line lengths exceed 80 characters (MD013). Consider reformatting with line breaks.
3. Date typo: The heading shows 2024-03-14 but should likely be 2026-03-14.

📝 Proposed fix for lint compliance

-## 2024-03-14 - [Predictable Temporary File Vulnerabilities]
-**Vulnerability:** The `apt.sh` script downloaded executables to predictable paths (like `/tmp/yq`) and current working directory before moving/executing them with `sudo`.
-**Learning:** Hardcoded, predictable file paths in world-writable directories (`/tmp`) allow attackers to pre-create files or symlinks, leading to Local Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when `sudo` is involved later. Additionally, downloading to the current working directory without control over its contents can overwrite existing files unexpectedly or execute attacker-controlled binaries.
-**Prevention:** Always use securely generated temporary directories (e.g., `mktemp -d`) for downloads and intermediate file processing in shell scripts, particularly those running with or transitioning to elevated privileges. Use the temporary directory as a secure staging area, clean it up when done, and use absolute paths when moving the final artifacts to their destinations.
+# Security Journal
+
+## 2026-03-14 - Predictable Temporary File Vulnerabilities
+
+**Vulnerability:** The `apt.sh` script downloaded executables to predictable
+paths (like `/tmp/yq`) and current working directory before moving/executing
+them with `sudo`.
+
+**Learning:** Hardcoded, predictable file paths in world-writable directories
+(`/tmp`) allow attackers to pre-create files or symlinks, leading to Local
+Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when
+`sudo` is involved later. Additionally, downloading to the current working
+directory without control over its contents can overwrite existing files
+unexpectedly or execute attacker-controlled binaries.
+
+**Prevention:** Always use securely generated temporary directories (e.g.,
+`mktemp -d`) for downloads and intermediate file processing in shell scripts,
+particularly those running with or transitioning to elevated privileges. Use
+the temporary directory as a secure staging area, clean it up when done, and
+use absolute paths when moving the final artifacts to their destinations.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2024-03-14 - [Predictable Temporary File Vulnerabilities]
	**Vulnerability:** The `apt.sh` script downloaded executables to predictable paths (like `/tmp/yq`) and current working directory before moving/executing them with `sudo`.
	**Learning:** Hardcoded, predictable file paths in world-writable directories (`/tmp`) allow attackers to pre-create files or symlinks, leading to Local Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when `sudo` is involved later. Additionally, downloading to the current working directory without control over its contents can overwrite existing files unexpectedly or execute attacker-controlled binaries.
	**Prevention:** Always use securely generated temporary directories (e.g., `mktemp -d`) for downloads and intermediate file processing in shell scripts, particularly those running with or transitioning to elevated privileges. Use the temporary directory as a secure staging area, clean it up when done, and use absolute paths when moving the final artifacts to their destinations.
	# Security Journal
	## 2026-03-14 - Predictable Temporary File Vulnerabilities
	**Vulnerability:** The `apt.sh` script downloaded executables to predictable
	paths (like `/tmp/yq`) and current working directory before moving/executing
	them with `sudo`.
	**Learning:** Hardcoded, predictable file paths in world-writable directories
	(`/tmp`) allow attackers to pre-create files or symlinks, leading to Local
	Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when
	`sudo` is involved later. Additionally, downloading to the current working
	directory without control over its contents can overwrite existing files
	unexpectedly or execute attacker-controlled binaries.
	**Prevention:** Always use securely generated temporary directories (e.g.,
	`mktemp -d`) for downloads and intermediate file processing in shell scripts,
	particularly those running with or transitioning to elevated privileges. Use
	the temporary directory as a secure staging area, clean it up when done, and
	use absolute paths when moving the final artifacts to their destinations.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 380] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 433] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 171] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-03-14 - [Predictable T..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-03-14 - [Predictable Temporary File Vulnerabilities]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Update the markdown to satisfy lint
rules: change the top-level heading from "## 2024-03-14 - [Predictable Temporary
File Vulnerabilities]" to use a single leading '#' and correct the date to
"2026-03-14", ensure there is a blank line after that heading, and reflow the
following bullet paragraphs (the vulnerability, learning, and prevention lines)
to keep line lengths under 80 characters (add line breaks and shorter sentences
as needed) so the file .jules/sentinel.md passes MD013 and the
heading/blank-line lint checks.