From 28bfe1598c4c006114aa0ff97a9a50c5622bfc42 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 7 Apr 2026 04:56:54 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20predictable=20temp=20file=20and=20CWD=20download=20vul?=
 =?UTF-8?q?nerabilities?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Severity: CRITICAL
Vulnerability: `tools/os_installers/apt.sh` downloaded executables directly to the current working directory or to predictable temporary paths like `/tmp/yq` before moving them with elevated privileges.
Impact: Local attackers could execute a symlink or pre-creation attack against `/tmp/yq`, forcing `sudo mv` to overwrite system files or escalate privileges. Downloading executables directly to the CWD could overwrite local files or execute attacker-controlled binaries.
Fix: Refactored Go, yq, and lsd installations to use isolated temporary directories created by `mktemp -d` within subshells, ensuring safe cleanup via an `EXIT` trap.
Verification: Ran the script logic locally or checked the syntax via `./build.sh lint`. Corrected all `/tmp` and CWD direct downloads. Added sentinel log.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md         |  4 ++++
 tools/os_installers/apt.sh | 38 ++++++++++++++++++++++++--------------
 2 files changed, 28 insertions(+), 14 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..1bdb551
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-04-07 - [Predictable Temp File & CWD Download Vulnerability in Installers]
+**Vulnerability:** Installation scripts (`apt.sh`) downloaded executables to predictable temporary paths (`/tmp/yq`) and directly to the current working directory.
+**Learning:** Using predictable paths like `/tmp/yq` without `mktemp` makes the script vulnerable to symlink attacks or pre-creation attacks, allowing an attacker to overwrite system files or escalate privileges when the script later calls `sudo mv`. Downloading directly to the CWD can lead to overwriting existing files or executing attacker-controlled binaries.
+**Prevention:** Always create isolated, randomly named temporary directories using `mktemp -d` inside a subshell `(...)` and clean them up automatically using a trap (e.g., `trap 'rm -rf "$TMP_DIR"' EXIT`). Download files strictly into this temporary directory.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..47d79c9 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -204,12 +204,15 @@ fi
 # Install Go
 echo "Installing Go..."
 if ! command -v go &> /dev/null; then
-    GO_VERSION="1.23.4"
-    wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
-    sudo rm -rf /usr/local/go
-    sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
-    rm "go${GO_VERSION}.linux-amd64.tar.gz"
-    echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
+    (
+        GO_VERSION="1.23.4"
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
+        sudo rm -rf /usr/local/go
+        sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
+        echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
+    )
 fi
 
 # Install Terraform
@@ -230,19 +233,26 @@ fi
 # Install yq
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
-    YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
-    sudo chmod +x /usr/local/bin/yq
+    (
+        YQ_VERSION="v4.44.6"
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+        sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
+        sudo chmod +x /usr/local/bin/yq
+    )
 fi
 
 # Install lsd (LSDeluxe)
 echo "Installing lsd..."
 if ! command -v lsd &> /dev/null; then
-    LSD_VERSION="1.1.5"
-    wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
-    sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
-    rm "lsd_${LSD_VERSION}_amd64.deb"
+    (
+        LSD_VERSION="1.1.5"
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb"
+        sudo dpkg -i "$TMP_DIR/lsd.deb"
+    )
 fi
 
 # Install Tesseract OCR