🛡️ Sentinel: [MEDIUM] Fix predictable temp paths in apt.sh

[kidchenko]

🚨 Severity: MEDIUM
💡 Vulnerability: Use of predictable temporary file paths (/tmp/yq) and downloading executables/archives into the current working directory in tools/os_installers/apt.sh.
🎯 Impact: These paths can be predicted by an attacker to conduct a symlink attack or file overwriting, especially when operations like sudo mv /tmp/yq ... or sudo dpkg -i ... are performed, which can lead to local privilege escalation.
🔧 Fix: Replaced hardcoded /tmp paths and cwd downloads with securely generated isolated temporary directories using mktemp -d.
✅ Verification: Run ./build.sh to ensure scripts pass linting (shellcheck). Examine tools/os_installers/apt.sh to verify Go, yq, and lsd installations use tmp_dir=$(mktemp -d) and that rm -rf "${tmp_dir}" cleans up properly.

---

PR created automatically by Jules for task 1803863750734523242 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Improved security in installation scripts by using randomized temporary directories instead of predictable paths, reducing vulnerability to symlink attacks and file overwriting exploits.

• Documentation

  • Added security advisory documenting temporary file path vulnerability patterns and prevention directives.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request enhances security by replacing predictable temporary file paths with randomized directories. A vulnerability entry is added to document the issue, while the installation script is modified to use mktemp -d for creating isolated temporary directories during downloads and installations.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	Added entry documenting hardcoded and predictable temporary file path vulnerability, including exploitation risks and mktemp -d mitigation directive.
Installation Script Security Hardening tools/os_installers/apt.sh	Modified Go, yq, and lsd download and installation flows to use per-tool temporary directories created via mktemp -d, updating download targets and cleanup logic to reference temp paths rather than fixed locations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Temp paths were predictable, oh dear, oh my,
Now mktemp -d makes them randomized and spry!
No more symlink tricks in directories we share,
The rabbit hops safer through /tmp with care! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references a specific security fix (predictable temp paths in apt.sh) that aligns with the primary changeset, though it includes a non-descriptive emoji and severity label that add noise rather than clarity.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-predictable-temp-paths-1803863750734523242

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tools/os_installers/apt.sh (1)

258-270: Composer installation still uses current working directory.

For consistency with the security fixes applied to Go, yq, and lsd, consider applying the same mktemp -d pattern here. The composer-setup.php is currently downloaded to the cwd.

♻️ Optional: Apply same pattern to Composer installation

 if ! command -v composer &> /dev/null; then
+    tmp_dir=$(mktemp -d)
+    cd "${tmp_dir}"
     EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
     php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
     ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
 
     if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
         sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
-        rm composer-setup.php
     else
         >&2 echo 'ERROR: Invalid installer checksum for Composer'
-        rm composer-setup.php
     fi
+    cd - > /dev/null
+    rm -rf "${tmp_dir}"
 fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 258 - 270, The Composer installer is
currently downloaded into the current working directory (composer-setup.php);
change the block in tools/os_installers/apt.sh to create a private temp
directory with mktemp -d, download EXPECTED_CHECKSUM and composer-setup.php into
that temp dir, compute ACTUAL_CHECKSUM against the temp file, run php on the
temp composer-setup.php (installing to /usr/local/bin), and then rm the temp
file and rmdir the temp directory (use a trap to ensure cleanup on exit); update
references to composer-setup.php in the EXPECTED_CHECKSUM/ACTUAL_CHECKSUM and
install/remove steps so they use the temp-dir path.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Update the sentinel entry to satisfy markdown lint rules:
change the date in the heading from "2024-03-20" to "2026-03-20", make the first
heading a top-level heading by replacing "##" with "#" for the title line, add a
blank line before and after that heading to satisfy MD022, and wrap long lines
in the body (the vulnerability, learning, and prevention lines) so each line is
<=80 characters; refer to the heading text "Hardcoded and Predictable Temporary
File Paths" and the three bullet lines (Vulnerability, Learning, Prevention)
when editing.

---

Nitpick comments:
In `@tools/os_installers/apt.sh`:
- Around line 258-270: The Composer installer is currently downloaded into the
current working directory (composer-setup.php); change the block in
tools/os_installers/apt.sh to create a private temp directory with mktemp -d,
download EXPECTED_CHECKSUM and composer-setup.php into that temp dir, compute
ACTUAL_CHECKSUM against the temp file, run php on the temp composer-setup.php
(installing to /usr/local/bin), and then rm the temp file and rmdir the temp
directory (use a trap to ensure cleanup on exit); update references to
composer-setup.php in the EXPECTED_CHECKSUM/ACTUAL_CHECKSUM and install/remove
steps so they use the temp-dir path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3bc8daf9-58f9-473c-87f0-85ca9c497698

📥 Commits

Reviewing files that changed from the base of the PR and between 68da5e9 and 5806ff7.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix linting issues flagged by static analysis.

The documentation content is accurate, but there are several markdown lint failures:

1. Line 1: Date appears incorrect - should be 2026-03-20 based on PR creation date
2. MD041: First line should be a top-level heading (# not ##)
3. MD022: Heading should be surrounded by blank lines
4. MD013: Lines 2-4 exceed the 80-character limit

📝 Proposed fix for linting issues

-## 2024-03-20 - [Hardcoded and Predictable Temporary File Paths]
-**Vulnerability:** Use of predictable temporary file paths like `/tmp/yq`, and downloading executables/archives (`go...tar.gz`, `lsd...deb`) into the current working directory.
-**Learning:** These paths can be predicted by an attacker to conduct a symlink attack or file overwriting, especially when operations like `sudo mv /tmp/yq ...` or `sudo dpkg -i ...` are performed, which can lead to local privilege escalation. Downloading to `cwd` can also clutter the directory or overwrite existing files unintentionally.
-**Prevention:** Use `mktemp -d` to securely generate a random, isolated temporary directory for downloading and manipulating files before moving them or installing them.
+# Sentinel Security Findings
+
+## 2026-03-20 - Hardcoded and Predictable Temporary File Paths
+
+**Vulnerability:** Use of predictable temporary file paths like `/tmp/yq`,
+and downloading executables/archives (`go...tar.gz`, `lsd...deb`) into the
+current working directory.
+
+**Learning:** These paths can be predicted by an attacker to conduct a
+symlink attack or file overwriting, especially when operations like
+`sudo mv /tmp/yq ...` or `sudo dpkg -i ...` are performed, which can lead
+to local privilege escalation. Downloading to `cwd` can also clutter the
+directory or overwrite existing files unintentionally.
+
+**Prevention:** Use `mktemp -d` to securely generate a random, isolated
+temporary directory for downloading and manipulating files before moving
+them or installing them.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 169] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 340] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 176] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-03-20 - [Hardcoded and..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-03-20 - [Hardcoded and Predictable Temporary File Paths]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Update the sentinel entry to satisfy
markdown lint rules: change the date in the heading from "2024-03-20" to
"2026-03-20", make the first heading a top-level heading by replacing "##" with
"#" for the title line, add a blank line before and after that heading to
satisfy MD022, and wrap long lines in the body (the vulnerability, learning, and
prevention lines) so each line is <=80 characters; refer to the heading text
"Hardcoded and Predictable Temporary File Paths" and the three bullet lines
(Vulnerability, Learning, Prevention) when editing.