diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..7158521 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-03-14 - [Predictable Temporary File Vulnerabilities] +**Vulnerability:** The `apt.sh` script downloaded executables to predictable paths (like `/tmp/yq`) and current working directory before moving/executing them with `sudo`. +**Learning:** Hardcoded, predictable file paths in world-writable directories (`/tmp`) allow attackers to pre-create files or symlinks, leading to Local Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when `sudo` is involved later. Additionally, downloading to the current working directory without control over its contents can overwrite existing files unexpectedly or execute attacker-controlled binaries. +**Prevention:** Always use securely generated temporary directories (e.g., `mktemp -d`) for downloads and intermediate file processing in shell scripts, particularly those running with or transitioning to elevated privileges. Use the temporary directory as a secure staging area, clean it up when done, and use absolute paths when moving the final artifacts to their destinations. diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh index 156016b..f559d67 100644 --- a/tools/os_installers/apt.sh +++ b/tools/os_installers/apt.sh @@ -205,10 +205,11 @@ fi echo "Installing Go..." if ! command -v go &> /dev/null; then GO_VERSION="1.23.4" - wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" + TMP_DIR=$(mktemp -d) + wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz" sudo rm -rf /usr/local/go - sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz" - rm "go${GO_VERSION}.linux-amd64.tar.gz" + sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz" + rm -rf "$TMP_DIR" echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile" fi @@ -231,18 +232,21 @@ fi echo "Installing yq..." if ! command -v yq &> /dev/null; then YQ_VERSION="v4.44.6" - wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq - sudo mv /tmp/yq /usr/local/bin/yq + TMP_DIR=$(mktemp -d) + wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq" + sudo mv "$TMP_DIR/yq" /usr/local/bin/yq sudo chmod +x /usr/local/bin/yq + rm -rf "$TMP_DIR" fi # Install lsd (LSDeluxe) echo "Installing lsd..." if ! command -v lsd &> /dev/null; then LSD_VERSION="1.1.5" - wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" - sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb" - rm "lsd_${LSD_VERSION}_amd64.deb" + TMP_DIR=$(mktemp -d) + wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb" + sudo dpkg -i "$TMP_DIR/lsd.deb" + rm -rf "$TMP_DIR" fi # Install Tesseract OCR @@ -253,15 +257,16 @@ sudo apt install -y tesseract-ocr echo "Installing Composer..." if ! command -v composer &> /dev/null; then EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')" - php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" - ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")" + TMP_DIR=$(mktemp -d) + php -r "copy('https://getcomposer.org/installer', '$TMP_DIR/composer-setup.php');" + ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', '$TMP_DIR/composer-setup.php');")" if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then - sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer - rm composer-setup.php + sudo php "$TMP_DIR/composer-setup.php" --quiet --install-dir=/usr/local/bin --filename=composer + rm -rf "$TMP_DIR" else >&2 echo 'ERROR: Invalid installer checksum for Composer' - rm composer-setup.php + rm -rf "$TMP_DIR" fi fi