Skip to content

πŸ›‘οΈ Sentinel: [MEDIUM] Fix predictable temp paths in apt.sh #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [MEDIUM] Fix predictable temp paths in apt.sh #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2024-03-20 - [Hardcoded and Predictable Temporary File Paths]

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-03-20 - [Hardcoded and..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-03-20 - [Hardcoded and Predictable Temporary File Paths]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** Use of predictable temporary file paths like `/tmp/yq`, and downloading executables/archives (`go...tar.gz`, `lsd...deb`) into the current working directory.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 176] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** These paths can be predicted by an attacker to conduct a symlink attack or file overwriting, especially when operations like `sudo mv /tmp/yq ...` or `sudo dpkg -i ...` are performed, which can lead to local privilege escalation. Downloading to `cwd` can also clutter the directory or overwrite existing files unintentionally.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 340] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Use `mktemp -d` to securely generate a random, isolated temporary directory for downloading and manipulating files before moving them or installing them.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 169] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix linting issues flagged by static analysis.

The documentation content is accurate, but there are several markdown lint failures:

  1. Line 1: Date appears incorrect - should be 2026-03-20 based on PR creation date
  2. MD041: First line should be a top-level heading (# not ##)
  3. MD022: Heading should be surrounded by blank lines
  4. MD013: Lines 2-4 exceed the 80-character limit
πŸ“ Proposed fix for linting issues 
-## 2024-03-20 - [Hardcoded and Predictable Temporary File Paths]
-**Vulnerability:** Use of predictable temporary file paths like `/tmp/yq`, and downloading executables/archives (`go...tar.gz`, `lsd...deb`) into the current working directory.
-**Learning:** These paths can be predicted by an attacker to conduct a symlink attack or file overwriting, especially when operations like `sudo mv /tmp/yq ...` or `sudo dpkg -i ...` are performed, which can lead to local privilege escalation. Downloading to `cwd` can also clutter the directory or overwrite existing files unintentionally.
-**Prevention:** Use `mktemp -d` to securely generate a random, isolated temporary directory for downloading and manipulating files before moving them or installing them.
+# Sentinel Security Findings
+
+## 2026-03-20 - Hardcoded and Predictable Temporary File Paths
+
+**Vulnerability:** Use of predictable temporary file paths like `/tmp/yq`,
+and downloading executables/archives (`go...tar.gz`, `lsd...deb`) into the
+current working directory.
+
+**Learning:** These paths can be predicted by an attacker to conduct a
+symlink attack or file overwriting, especially when operations like
+`sudo mv /tmp/yq ...` or `sudo dpkg -i ...` are performed, which can lead
+to local privilege escalation. Downloading to `cwd` can also clutter the
+directory or overwrite existing files unintentionally.
+
+**Prevention:** Use `mktemp -d` to securely generate a random, isolated
+temporary directory for downloading and manipulating files before moving
+them or installing them.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 169] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 340] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 176] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2024-03-20 - [Hardcoded and..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2024-03-20 - [Hardcoded and Predictable Temporary File Paths]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Update the sentinel entry to satisfy
markdown lint rules: change the date in the heading from "2024-03-20" to
"2026-03-20", make the first heading a top-level heading by replacing "##" with
"#" for the title line, add a blank line before and after that heading to
satisfy MD022, and wrap long lines in the body (the vulnerability, learning, and
prevention lines) so each line is <=80 characters; refer to the heading text
"Hardcoded and Predictable Temporary File Paths" and the three bullet lines
(Vulnerability, Learning, Prevention) when editing.

20 changes: 12 additions & 8 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,10 +205,11 @@ fi
echo "Installing Go..."
if ! command -v go &> /dev/null; then
GO_VERSION="1.23.4"
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
tmp_dir=$(mktemp -d)
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "${tmp_dir}/go${GO_VERSION}.linux-amd64.tar.gz"
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
rm "go${GO_VERSION}.linux-amd64.tar.gz"
sudo tar -C /usr/local -xzf "${tmp_dir}/go${GO_VERSION}.linux-amd64.tar.gz"
rm -rf "${tmp_dir}"
echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
fi

Expand All @@ -231,18 +232,21 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
tmp_dir=$(mktemp -d)
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "${tmp_dir}/yq"
sudo mv "${tmp_dir}/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
rm -rf "${tmp_dir}"
fi

# Install lsd (LSDeluxe)
echo "Installing lsd..."
if ! command -v lsd &> /dev/null; then
LSD_VERSION="1.1.5"
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
rm "lsd_${LSD_VERSION}_amd64.deb"
tmp_dir=$(mktemp -d)
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "${tmp_dir}/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "${tmp_dir}/lsd_${LSD_VERSION}_amd64.deb"
rm -rf "${tmp_dir}"
fi

# Install Tesseract OCR
Expand Down
Loading