🛡️ Sentinel: [CRITICAL] Fix predictable /tmp path vulnerability in apt.sh

[kidchenko]

🛡️ Sentinel: [CRITICAL] Fix predictable /tmp path vulnerability in apt.sh

🚨 Severity: CRITICAL
💡 Vulnerability: The tools/os_installers/apt.sh script previously downloaded the yq binary directly to /tmp/yq before executing a sudo mv /tmp/yq /usr/local/bin/yq. Because /tmp is a world-writable directory, a local attacker could pre-create a file or symlink at /tmp/yq, which might allow them to overwrite sensitive system files or execute arbitrary code when the sudo command interacts with it.
🎯 Impact: Local Privilege Escalation (LPE), Symlink Attacks, Arbitrary file overwrites.
🔧 Fix:

• Replaced the hardcoded /tmp/yq path with a securely generated directory using mktemp -d.
• Downloaded the artifact into the secure directory.
• Used sudo mv from the secure directory to /usr/local/bin/yq.
• Appended rm -rf to ensure the temporary directory is deleted after use.
• Documented the vulnerability, learning, and prevention strategy in .jules/sentinel.md as per the Sentinel guidelines.
  ✅ Verification:
• Validated bash syntax using bash -n tools/os_installers/apt.sh.
• Executed the ./build.sh script to verify there are no test regressions.

---

PR created automatically by Jules for task 9215587834297415694 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Enhanced security in the yq installation process by implementing secure temporary file handling, reducing the risk of unauthorized access during tool installation.

• Documentation

  • Added security guidance documenting vulnerability mitigation strategies for temporary file operations.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation added for a temporary directory security vulnerability in the apt.sh installer script. The vulnerability fix updates the yq binary download process to use mktemp -d for secure temporary directories instead of a predictable /tmp/yq path, mitigating symlink attack and privilege escalation risks.

Changes

Cohort / File(s)	Summary
Security Vulnerability Documentation .jules/sentinel.md	Added vulnerability entry for 2024-05-24 documenting symlink attack and privilege escalation risks in apt.sh's fixed /tmp/yq path, with prevention guidelines using mktemp -d and cleanup.
Temporary Directory Security Fix tools/os_installers/apt.sh	Updated yq installation to use mktemp -d for creating isolated temporary directories, moving the downloaded binary from temp location to /usr/local/bin/yq, and cleaning up the temp directory afterward.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A path too predictable, a risk in the temp,
With mktemp and cleanup, we've got this ample!
No symlinks shall strike where our bunny resides,
Security strengthened with /tmp as our guide! 🛡️

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: fixing a predictable /tmp path vulnerability in apt.sh, which is the core focus of the changeset across both modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-apt-sh-tmp-vulnerability-9215587834297415694

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Make the first line a top-level heading and fix heading
spacing and line lengths: change the opening line to a top-level H1 (e.g., "#
2024-05-24 - Avoid predictable /tmp files in installation scripts"), ensure
there is a blank line after that heading (MD022), then reflow the subsequent
lines so no line exceeds the repo's max (wrap the Vulnerability, Learning, and
Prevention sections to fit MD013) and keep each section as separate subheadings
or bold labels to preserve structure; edit the content in .jules/sentinel.md
accordingly and keep the same wording but split long sentences across lines to
satisfy the linters (addresses MD041, MD022, MD013).

In `@tools/os_installers/apt.sh`:
- Around line 235-236: Add integrity verification for the yq binary before
moving it to /usr/local/bin: after downloading "${YQ_VERSION}/yq_linux_amd64" to
"$tmp_dir/yq", also download the corresponding "checksums" file for that release
into "$tmp_dir/checksums", compute and compare the sha256 of "$tmp_dir/yq"
against the entry for "yq_linux_amd64" in "$tmp_dir/checksums" (fail the script
with an error message and non‑zero exit if the checksum does not match), and
only then run the privileged install step (sudo mv "$tmp_dir/yq"
/usr/local/bin/yq); reference the YQ_VERSION and tmp_dir variables and the
"$tmp_dir/yq" artifact when implementing the verification and failure path.
- Around line 234-238: After creating tmp_dir with tmp_dir=$(mktemp -d), add a
trap on EXIT to always remove it (e.g., trap 'rm -rf "$tmp_dir"' EXIT) so
failures between the wget/move/chmod steps won't leave the temp dir behind;
place the trap immediately after the mktemp line and ensure the trap references
the tmp_dir variable (and is robust if tmp_dir is empty or unset).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7569d5c4-970f-4a6d-ad91-e020367987dd

📥 Commits

Reviewing files that changed from the base of the PR and between cb5949a and 1dd45fb.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix markdownlint blockers (MD041, MD022, MD013) in this new file.

CI currently fails because Line 1 is not a top-level heading, heading spacing is missing, and Lines 2–4 exceed max line length.

📝 Suggested lint-compliant rewrite

-## 2024-05-24 - [Avoid predictable /tmp files in installation scripts]
-**Vulnerability:** In `tools/os_installers/apt.sh`, the `yq` binary was downloaded directly to a predictable path `/tmp/yq` before being moved with `sudo` to a global path. This can expose the system to symlink attacks or local privilege escalation since `/tmp` is a world-writable directory.
-**Learning:** Hardcoding paths in `/tmp` for temporary files, especially those executed or moved with `sudo` privileges, introduces a vulnerability where malicious users could preemptively create a symlink or a file at that location.
-**Prevention:** Always use `mktemp -d` to create securely generated, isolated temporary directories (e.g. `tmp_dir=$(mktemp -d)`) and use these directories to store downloaded artifacts, ensuring they are deleted via `rm -rf` afterwards.
+# Sentinel Security Learnings
+
+## 2024-05-24 - Avoid predictable /tmp files in installation scripts
+
+**Vulnerability:** In `tools/os_installers/apt.sh`, the `yq` binary was
+downloaded to predictable `/tmp/yq` before `sudo` move to a global path.
+This enables symlink attacks and local privilege escalation in `/tmp`.
+
+**Learning:** Hardcoding `/tmp` paths for temporary files—especially files
+executed or moved with `sudo`—allows pre-creation of malicious files or
+symlinks by local users.
+
+**Prevention:** Use `mktemp -d` to create isolated temp directories
+(`tmp_dir=$(mktemp -d)`), store artifacts there, and delete them with
+`rm -rf` afterward.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2024-05-24 - [Avoid predictable /tmp files in installation scripts]
	**Vulnerability:** In `tools/os_installers/apt.sh`, the `yq` binary was downloaded directly to a predictable path `/tmp/yq` before being moved with `sudo` to a global path. This can expose the system to symlink attacks or local privilege escalation since `/tmp` is a world-writable directory.
	**Learning:** Hardcoding paths in `/tmp` for temporary files, especially those executed or moved with `sudo` privileges, introduces a vulnerability where malicious users could preemptively create a symlink or a file at that location.
	**Prevention:** Always use `mktemp -d` to create securely generated, isolated temporary directories (e.g. `tmp_dir=$(mktemp -d)`) and use these directories to store downloaded artifacts, ensuring they are deleted via `rm -rf` afterwards.
	# Sentinel Security Learnings
	## 2024-05-24 - Avoid predictable /tmp files in installation scripts
	**Vulnerability:** In `tools/os_installers/apt.sh`, the `yq` binary was
	downloaded to predictable `/tmp/yq` before `sudo` move to a global path.
	This enables symlink attacks and local privilege escalation in `/tmp`.
	**Learning:** Hardcoding `/tmp` paths for temporary files—especially files
	executed or moved with `sudo`—allows pre-creation of malicious files or
	symlinks by local users.
	**Prevention:** Use `mktemp -d` to create isolated temp directories
	(`tmp_dir=$(mktemp -d)`), store artifacts there, and delete them with
	`rm -rf` afterward.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 237] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 233] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 292] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-05-24 - [Avoid predict..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-05-24 - [Avoid predictable /tmp files in installation scripts]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🪛 LanguageTool

[locale-violation] ~4-~4: In American English, ‘afterward’ is the preferred variant. ‘Afterwards’ is more commonly used in British English and other dialects.
Context: ... ensuring they are deleted via rm -rf afterwards.

(AFTERWARDS_US)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Make the first line a top-level
heading and fix heading spacing and line lengths: change the opening line to a
top-level H1 (e.g., "# 2024-05-24 - Avoid predictable /tmp files in installation
scripts"), ensure there is a blank line after that heading (MD022), then reflow
the subsequent lines so no line exceeds the repo's max (wrap the Vulnerability,
Learning, and Prevention sections to fit MD013) and keep each section as
separate subheadings or bold labels to preserve structure; edit the content in
.jules/sentinel.md accordingly and keep the same wording but split long
sentences across lines to satisfy the linters (addresses MD041, MD022, MD013).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether yq installation block has trap-based cleanup around mktemp usage.
rg -n -C3 'Installing yq|mktemp -d|trap .*EXIT|rm -rf "\$tmp_dir"|wget .*yq_linux_amd64|sudo (mv|install) .*yq' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 484

---

🏁 Script executed:

# Check if set -e is enabled at line 7
head -10 tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 283

---

🏁 Script executed:

# Get broader context around the yq installation block to check for error handling
sed -n '230,240p' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 399

---

Ensure temporary directory cleanup runs on failure paths.

Because set -e is enabled (Line 7), any failure on Line 235–Line 237 exits before Line 238, leaving the temp directory behind. Add an EXIT trap right after creating tmp_dir.

💡 Suggested fix

-    tmp_dir=$(mktemp -d)
+    tmp_dir="$(mktemp -d)"
+    cleanup_yq_tmp() { rm -rf "$tmp_dir"; }
+    trap cleanup_yq_tmp EXIT
     wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$tmp_dir/yq"
     sudo mv "$tmp_dir/yq" /usr/local/bin/yq
     sudo chmod +x /usr/local/bin/yq
-    rm -rf "$tmp_dir"
+    cleanup_yq_tmp
+    trap - EXIT

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 234 - 238, After creating tmp_dir
with tmp_dir=$(mktemp -d), add a trap on EXIT to always remove it (e.g., trap
'rm -rf "$tmp_dir"' EXIT) so failures between the wget/move/chmod steps won't
leave the temp dir behind; place the trap immediately after the mktemp line and
ensure the trap references the tmp_dir variable (and is robust if tmp_dir is
empty or unset).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For GitHub release yq v4.44.6, what is the official checksum (or signature) verification workflow for the yq_linux_amd64 binary, including the exact checksum file URL and verification command?

💡 Result:

The official checksum verification workflow for the yq_linux_amd64 binary in GitHub release v4.44.6 of mikefarah/yq is as follows: 1. Download the binary from: https://github.com/mikefarah/yq/releases/download/v4.44.6/yq_linux_amd64 2. Download the checksum files: - checksums: https://github.com/mikefarah/yq/releases/download/v4.44.6/checksums - checksums_hashes_order: https://github.com/mikefarah/yq/releases/download/v4.44.6/checksums_hashes_order - (optionally) extract-checksum.sh: https://github.com/mikefarah/yq/releases/download/v4.44.6/extract-checksum.sh 3. Extract the SHA-256 checksum using the provided script (recommended): ./extract-checksum.sh SHA-256 yq_linux_amd64 This outputs the expected SHA-256 hash for the binary (e.g., "acebc9d07aa2d0e482969b2c080ee306e8f58efbd6f2d857eefbce6469da1473" from example usage). 4. Verify the checksum: sha256sum yq_linux_amd64 Compare the output to the extracted hash. Alternatively, pipe the extracted line to a verifier like sha256sum --check or rhash -c -. This workflow uses multiple hash algorithms in a single 'checksums' file, with 'checksums_hashes_order' defining the column order. The extract script simplifies retrieval of the specific SHA-256 value without depending on tool versions. No GPG signatures are provided; verification relies on these checksums. v4.44.6 exists as confirmed by release references and actions (Dec 2024), following the standard pattern seen in later releases like v4.52.4.

Citations:

• 1: https://github.com/mikefarah/yq/releases
• 2: https://github.com/mikefarah/yq/actions/runs/12210940780
• 3: https://github.com/mikefarah/yq/blob/master/scripts/extract-checksum.sh
• 4: Please publish file hashes with releases mikefarah/yq#801
• 5: rhash is failing verification on the new release mikefarah/yq#1011

---

🏁 Script executed:

# Check the file size and examine the relevant lines and context
wc -l tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 92

---

🏁 Script executed:

# Read the context around lines 235-236 to see YQ_VERSION and any verification
sed -n '220,250p' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 948

---

🏁 Script executed:

# Search for any checksum or signature verification in the entire file
grep -n "checksum\|signature\|sha256\|md5\|gpg\|verify" tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 1484

---

Add checksum verification for yq binary before installation.

Line 235 downloads yq binary from GitHub and line 236 installs it to /usr/local/bin with sudo without integrity verification. While this script implements verification for other packages (Composer, Docker, Yarn, etc.), yq installation skips this critical step.

The yq project provides official checksums at: https://github.com/mikefarah/yq/releases/download/v4.44.6/checksums

Verify the downloaded binary before privileged installation:

wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/checksums" -O "$tmp_dir/checksums"
sha256sum "$tmp_dir/yq" | grep -f <(grep yq_linux_amd64 "$tmp_dir/checksums") || { echo "Checksum mismatch"; exit 1; }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 235 - 236, Add integrity
verification for the yq binary before moving it to /usr/local/bin: after
downloading "${YQ_VERSION}/yq_linux_amd64" to "$tmp_dir/yq", also download the
corresponding "checksums" file for that release into "$tmp_dir/checksums",
compute and compare the sha256 of "$tmp_dir/yq" against the entry for
"yq_linux_amd64" in "$tmp_dir/checksums" (fail the script with an error message
and non‑zero exit if the checksum does not match), and only then run the
privileged install step (sudo mv "$tmp_dir/yq" /usr/local/bin/yq); reference the
YQ_VERSION and tmp_dir variables and the "$tmp_dir/yq" artifact when
implementing the verification and failure path.