From 964bfcfe3a195adbc78b85e936775d39cfc5758b Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 14 Mar 2026 04:58:32 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20predictable=20temporary=20file=20vulnerability?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated `tools/os_installers/apt.sh` to use securely generated temporary
directories (`mktemp -d`) for downloads and installations (Go, yq, lsd,
Composer) instead of predictable paths in `/tmp/` or the current
working directory. This mitigates Local Privilege Escalation (LPE) and
symlink attacks when executing with elevated privileges.
Added journal entry to `.jules/sentinel.md`.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md         |  4 ++++
 tools/os_installers/apt.sh | 31 ++++++++++++++++++-------------
 2 files changed, 22 insertions(+), 13 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..7158521
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-03-14 - [Predictable Temporary File Vulnerabilities]
+**Vulnerability:** The `apt.sh` script downloaded executables to predictable paths (like `/tmp/yq`) and current working directory before moving/executing them with `sudo`.
+**Learning:** Hardcoded, predictable file paths in world-writable directories (`/tmp`) allow attackers to pre-create files or symlinks, leading to Local Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when `sudo` is involved later. Additionally, downloading to the current working directory without control over its contents can overwrite existing files unexpectedly or execute attacker-controlled binaries.
+**Prevention:** Always use securely generated temporary directories (e.g., `mktemp -d`) for downloads and intermediate file processing in shell scripts, particularly those running with or transitioning to elevated privileges. Use the temporary directory as a secure staging area, clean it up when done, and use absolute paths when moving the final artifacts to their destinations.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..f559d67 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -205,10 +205,11 @@ fi
 echo "Installing Go..."
 if ! command -v go &> /dev/null; then
     GO_VERSION="1.23.4"
-    wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
+    TMP_DIR=$(mktemp -d)
+    wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
     sudo rm -rf /usr/local/go
-    sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
-    rm "go${GO_VERSION}.linux-amd64.tar.gz"
+    sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
+    rm -rf "$TMP_DIR"
     echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
 fi
 
@@ -231,18 +232,21 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
+    TMP_DIR=$(mktemp -d)
+    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+    sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
     sudo chmod +x /usr/local/bin/yq
+    rm -rf "$TMP_DIR"
 fi
 
 # Install lsd (LSDeluxe)
 echo "Installing lsd..."
 if ! command -v lsd &> /dev/null; then
     LSD_VERSION="1.1.5"
-    wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
-    sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
-    rm "lsd_${LSD_VERSION}_amd64.deb"
+    TMP_DIR=$(mktemp -d)
+    wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb"
+    sudo dpkg -i "$TMP_DIR/lsd.deb"
+    rm -rf "$TMP_DIR"
 fi
 
 # Install Tesseract OCR
@@ -253,15 +257,16 @@ sudo apt install -y tesseract-ocr
 echo "Installing Composer..."
 if ! command -v composer &> /dev/null; then
     EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
-    php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
-    ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
+    TMP_DIR=$(mktemp -d)
+    php -r "copy('https://getcomposer.org/installer', '$TMP_DIR/composer-setup.php');"
+    ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', '$TMP_DIR/composer-setup.php');")"
 
     if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
-        sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
-        rm composer-setup.php
+        sudo php "$TMP_DIR/composer-setup.php" --quiet --install-dir=/usr/local/bin --filename=composer
+        rm -rf "$TMP_DIR"
     else
         >&2 echo 'ERROR: Invalid installer checksum for Composer'
-        rm composer-setup.php
+        rm -rf "$TMP_DIR"
     fi
 fi