Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix predictable temporary file vulnerability #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [CRITICAL] Fix predictable temporary file vulnerability #58

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-03-14 - [Predictable Temporary File Vulnerabilities]

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-03-14 - [Predictable T..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-03-14 - [Predictable Temporary File Vulnerabilities]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** The `apt.sh` script downloaded executables to predictable paths (like `/tmp/yq`) and current working directory before moving/executing them with `sudo`.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 171] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Hardcoded, predictable file paths in world-writable directories (`/tmp`) allow attackers to pre-create files or symlinks, leading to Local Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when `sudo` is involved later. Additionally, downloading to the current working directory without control over its contents can overwrite existing files unexpectedly or execute attacker-controlled binaries.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 433] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always use securely generated temporary directories (e.g., `mktemp -d`) for downloads and intermediate file processing in shell scripts, particularly those running with or transitioning to elevated privileges. Use the temporary directory as a secure staging area, clean it up when done, and use absolute paths when moving the final artifacts to their destinations.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 380] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Mar 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix markdown lint violations to pass CI.

The documentation lint check is failing with multiple issues:

  1. Line 1: First line should be a top-level heading (# instead of ##) and needs a blank line below it.
  2. Lines 2-4: Line lengths exceed 80 characters (MD013). Consider reformatting with line breaks.
  3. Date typo: The heading shows 2024-03-14 but should likely be 2026-03-14.
πŸ“ Proposed fix for lint compliance 
-## 2024-03-14 - [Predictable Temporary File Vulnerabilities]
-**Vulnerability:** The `apt.sh` script downloaded executables to predictable paths (like `/tmp/yq`) and current working directory before moving/executing them with `sudo`.
-**Learning:** Hardcoded, predictable file paths in world-writable directories (`/tmp`) allow attackers to pre-create files or symlinks, leading to Local Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when `sudo` is involved later. Additionally, downloading to the current working directory without control over its contents can overwrite existing files unexpectedly or execute attacker-controlled binaries.
-**Prevention:** Always use securely generated temporary directories (e.g., `mktemp -d`) for downloads and intermediate file processing in shell scripts, particularly those running with or transitioning to elevated privileges. Use the temporary directory as a secure staging area, clean it up when done, and use absolute paths when moving the final artifacts to their destinations.
+# Security Journal
+
+## 2026-03-14 - Predictable Temporary File Vulnerabilities
+
+**Vulnerability:** The `apt.sh` script downloaded executables to predictable
+paths (like `/tmp/yq`) and current working directory before moving/executing
+them with `sudo`.
+
+**Learning:** Hardcoded, predictable file paths in world-writable directories
+(`/tmp`) allow attackers to pre-create files or symlinks, leading to Local
+Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when
+`sudo` is involved later. Additionally, downloading to the current working
+directory without control over its contents can overwrite existing files
+unexpectedly or execute attacker-controlled binaries.
+
+**Prevention:** Always use securely generated temporary directories (e.g.,
+`mktemp -d`) for downloads and intermediate file processing in shell scripts,
+particularly those running with or transitioning to elevated privileges. Use
+the temporary directory as a secure staging area, clean it up when done, and
+use absolute paths when moving the final artifacts to their destinations.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2024-03-14 - [Predictable Temporary File Vulnerabilities]
**Vulnerability:** The `apt.sh` script downloaded executables to predictable paths (like `/tmp/yq`) and current working directory before moving/executing them with `sudo`.
**Learning:** Hardcoded, predictable file paths in world-writable directories (`/tmp`) allow attackers to pre-create files or symlinks, leading to Local Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when `sudo` is involved later. Additionally, downloading to the current working directory without control over its contents can overwrite existing files unexpectedly or execute attacker-controlled binaries.
**Prevention:** Always use securely generated temporary directories (e.g., `mktemp -d`) for downloads and intermediate file processing in shell scripts, particularly those running with or transitioning to elevated privileges. Use the temporary directory as a secure staging area, clean it up when done, and use absolute paths when moving the final artifacts to their destinations.
# Security Journal
## 2026-03-14 - Predictable Temporary File Vulnerabilities
**Vulnerability:** The `apt.sh` script downloaded executables to predictable
paths (like `/tmp/yq`) and current working directory before moving/executing
them with `sudo`.
**Learning:** Hardcoded, predictable file paths in world-writable directories
(`/tmp`) allow attackers to pre-create files or symlinks, leading to Local
Privilege Escalation (LPE) and file overwrite vulnerabilities, especially when
`sudo` is involved later. Additionally, downloading to the current working
directory without control over its contents can overwrite existing files
unexpectedly or execute attacker-controlled binaries.
**Prevention:** Always use securely generated temporary directories (e.g.,
`mktemp -d`) for downloads and intermediate file processing in shell scripts,
particularly those running with or transitioning to elevated privileges. Use
the temporary directory as a secure staging area, clean it up when done, and
use absolute paths when moving the final artifacts to their destinations.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 380] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 433] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 171] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-03-14 - [Predictable T..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-03-14 - [Predictable Temporary File Vulnerabilities]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Update the markdown to satisfy lint
rules: change the top-level heading from "## 2024-03-14 - [Predictable Temporary
File Vulnerabilities]" to use a single leading '#' and correct the date to
"2026-03-14", ensure there is a blank line after that heading, and reflow the
following bullet paragraphs (the vulnerability, learning, and prevention lines)
to keep line lengths under 80 characters (add line breaks and shorter sentences
as needed) so the file .jules/sentinel.md passes MD013 and the
heading/blank-line lint checks.

31 changes: 18 additions & 13 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,10 +205,11 @@ fi
echo "Installing Go..."
if ! command -v go &> /dev/null; then
GO_VERSION="1.23.4"
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
TMP_DIR=$(mktemp -d)
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
rm "go${GO_VERSION}.linux-amd64.tar.gz"
sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
rm -rf "$TMP_DIR"
echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
fi

Expand All @@ -231,18 +232,21 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
TMP_DIR=$(mktemp -d)
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
rm -rf "$TMP_DIR"
fi

# Install lsd (LSDeluxe)
echo "Installing lsd..."
if ! command -v lsd &> /dev/null; then
LSD_VERSION="1.1.5"
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
rm "lsd_${LSD_VERSION}_amd64.deb"
TMP_DIR=$(mktemp -d)
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb"
sudo dpkg -i "$TMP_DIR/lsd.deb"
rm -rf "$TMP_DIR"
fi

# Install Tesseract OCR
Expand All @@ -253,15 +257,16 @@ sudo apt install -y tesseract-ocr
echo "Installing Composer..."
if ! command -v composer &> /dev/null; then
EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
TMP_DIR=$(mktemp -d)
php -r "copy('https://getcomposer.org/installer', '$TMP_DIR/composer-setup.php');"
ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', '$TMP_DIR/composer-setup.php');")"

if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
rm composer-setup.php
sudo php "$TMP_DIR/composer-setup.php" --quiet --install-dir=/usr/local/bin --filename=composer
rm -rf "$TMP_DIR"
else
>&2 echo 'ERROR: Invalid installer checksum for Composer'
rm composer-setup.php
rm -rf "$TMP_DIR"
fi
fi

Expand Down
Loading