Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL] Fix predictable temp file and CWD download vulnerabilities #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
kidchenko wants to merge 1 commit into from
Closed

πŸ›‘οΈ Sentinel: [CRITICAL] Fix predictable temp file and CWD download vulnerabilities #82

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-04-07 - [Predictable Temp File & CWD Download Vulnerability in Installers]

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-04-07 - [Predictable T..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-04-07 - [Predictable Temp File & CWD Download Vulnerability in Installers]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:** Installation scripts (`apt.sh`) downloaded executables to predictable temporary paths (`/tmp/yq`) and directly to the current working directory.

Check failure on line 2 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 163] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Learning:** Using predictable paths like `/tmp/yq` without `mktemp` makes the script vulnerable to symlink attacks or pre-creation attacks, allowing an attacker to overwrite system files or escalate privileges when the script later calls `sudo mv`. Downloading directly to the CWD can lead to overwriting existing files or executing attacker-controlled binaries.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 364] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
**Prevention:** Always create isolated, randomly named temporary directories using `mktemp -d` inside a subshell `(...)` and clean them up automatically using a trap (e.g., `trap 'rm -rf "$TMP_DIR"' EXIT`). Download files strictly into this temporary directory.

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 261] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4

@coderabbitai coderabbitai Bot Apr 7, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix markdownlint failures blocking docs checks.

Line 1 violates MD041/MD022, and Lines 2-4 violate MD013 (line length). This currently fails the docs lint job.

πŸ“ Proposed markdownlint-compliant rewrite 
-## 2025-04-07 - [Predictable Temp File & CWD Download Vulnerability in Installers]
-**Vulnerability:** Installation scripts (`apt.sh`) downloaded executables to predictable temporary paths (`/tmp/yq`) and directly to the current working directory.
-**Learning:** Using predictable paths like `/tmp/yq` without `mktemp` makes the script vulnerable to symlink attacks or pre-creation attacks, allowing an attacker to overwrite system files or escalate privileges when the script later calls `sudo mv`. Downloading directly to the CWD can lead to overwriting existing files or executing attacker-controlled binaries.
-**Prevention:** Always create isolated, randomly named temporary directories using `mktemp -d` inside a subshell `(...)` and clean them up automatically using a trap (e.g., `trap 'rm -rf "$TMP_DIR"' EXIT`). Download files strictly into this temporary directory.
+# Sentinel Security Learnings
+
+## 2025-04-07 - Predictable Temp File & CWD Download Vulnerability in Installers
+
+**Vulnerability:** Installation scripts (`apt.sh`) downloaded executables to
+predictable temporary paths (for example, `/tmp/yq`) and directly to the
+current working directory.
+
+**Learning:** Using predictable paths like `/tmp/yq` without `mktemp` enables
+symlink/pre-creation attacks, allowing overwrite or privilege escalation when
+the script later runs privileged file moves. CWD downloads can overwrite
+existing files or execute attacker-controlled binaries.
+
+**Prevention:** Create isolated random temp directories with `mktemp -d` inside
+a subshell and clean with `trap 'rm -rf "$TMP_DIR"' EXIT`; download strictly
+inside that temp directory.
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2025-04-07 - [Predictable Temp File & CWD Download Vulnerability in Installers]
**Vulnerability:** Installation scripts (`apt.sh`) downloaded executables to predictable temporary paths (`/tmp/yq`) and directly to the current working directory.
**Learning:** Using predictable paths like `/tmp/yq` without `mktemp` makes the script vulnerable to symlink attacks or pre-creation attacks, allowing an attacker to overwrite system files or escalate privileges when the script later calls `sudo mv`. Downloading directly to the CWD can lead to overwriting existing files or executing attacker-controlled binaries.
**Prevention:** Always create isolated, randomly named temporary directories using `mktemp -d` inside a subshell `(...)` and clean them up automatically using a trap (e.g., `trap 'rm -rf "$TMP_DIR"' EXIT`). Download files strictly into this temporary directory.
# Sentinel Security Learnings
## 2025-04-07 - Predictable Temp File & CWD Download Vulnerability in Installers
**Vulnerability:** Installation scripts (`apt.sh`) downloaded executables to
predictable temporary paths (for example, `/tmp/yq`) and directly to the
current working directory.
**Learning:** Using predictable paths like `/tmp/yq` without `mktemp` enables
symlink/pre-creation attacks, allowing overwrite or privilege escalation when
the script later runs privileged file moves. CWD downloads can overwrite
existing files or execute attacker-controlled binaries.
**Prevention:** Create isolated random temp directories with `mktemp -d` inside
a subshell and clean with `trap 'rm -rf "$TMP_DIR"' EXIT`; download strictly
inside that temp directory.
🧰 Tools
πŸͺ› GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 261] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 364] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 163] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-04-07 - [Predictable T..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-04-07 - [Predictable Temp File & CWD Download Vulnerability in Installers]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Add a top-level H1 as the file's
first line (to satisfy MD041/MD022) and ensure a blank line after that header,
then reformat the long content lines (the heading and the three paragraph lines
starting with "**Vulnerability:**", "**Learning:**", "**Prevention:**") to wrap
to <=80 characters per line (or whatever the repo's MD013 limit is), using
markdown paragraphs or bulleted lists so each logical sentence is on its own
short line; keep the existing text and headings (e.g., "2025-04-07 -
[Predictable Temp File & CWD Download Vulnerability in Installers]", the
Vulnerability/Learning/Prevention lines) but break them into multiple shorter
lines and ensure proper blank lines between header and content to fix the
markdownlint failures.

38 changes: 24 additions & 14 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,12 +204,15 @@ fi
# Install Go
echo "Installing Go..."
if ! command -v go &> /dev/null; then
GO_VERSION="1.23.4"
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
rm "go${GO_VERSION}.linux-amd64.tar.gz"
echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
(
GO_VERSION="1.23.4"
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
Comment on lines +211 to +214

@coderabbitai coderabbitai Bot Apr 7, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

`What are the official checksum/signature verification steps for:

  1. Go 1.23.4 linux-amd64 tarball,
  2. mikefarah/yq v4.44.6 yq_linux_amd64,
  3. lsd-rs/lsd v1.1.5 amd64 .deb?
    Please provide maintainer-published checksum/signature URLs and verification commands.`

πŸ’‘ Result:

1) Go 1.23.4 linux-amd64 tarball (go1.23.4.linux-amd64.tar.gz)

Maintainer-published URLs

  • Tarball: https://go.dev/dl/go1.23.4.linux-amd64.tar.gz (listed on the official downloads page) [1]
  • SHA256 (published on the official downloads page): 6924efde5de86fe277676e929dc9917d466efa02fb934197bc2eba35d5680971 [1]
  • Detached signature (conventionally available alongside the tarball): https://go.dev/dl/go1.23.4.linux-amd64.tar.gz.asc (same filename + .asc)
  • Optional checksum file (commonly available alongside the tarball): https://go.dev/dl/go1.23.4.linux-amd64.tar.gz.sha256

Verification commands

# download
curl -fLO https://go.dev/dl/go1.23.4.linux-amd64.tar.gz
curl -fLO https://go.dev/dl/go1.23.4.linux-amd64.tar.gz.asc

# verify SHA256 (from the official download page)
echo "6924efde5de86fe277676e929dc9917d466efa02fb934197bc2eba35d5680971  go1.23.4.linux-amd64.tar.gz" | sha256sum -c -

# verify OpenPGP signature (requires importing the relevant signing key into your GPG keyring first)
gpg --verify go1.23.4.linux-amd64.tar.gz.asc go1.23.4.linux-amd64.tar.gz

2) mikefarah/yq v4.44.6 (yq_linux_amd64)

Maintainer-published URLs (GitHub release assets)

  • Binary: https://github.com/mikefarah/yq/releases/download/v4.44.6/yq_linux_amd64
  • Checksums file: https://github.com/mikefarah/yq/releases/download/v4.44.6/checksums (this asset name is used by the maintainer in releases) [2]
  • (If present in that release) checksum ordering helper: https://github.com/mikefarah/yq/releases/download/v4.44.6/checksums_hashes_order (also used by the maintainer in releases) [2]
  • (If present in that release) BSD checksums: https://github.com/mikefarah/yq/releases/download/v4.44.6/checksums-bsd [2]

Verification commands (SHA256 via maintainer β€œchecksums” file)

curl -fLO https://github.com/mikefarah/yq/releases/download/v4.44.6/yq_linux_amd64
curl -fLO https://github.com/mikefarah/yq/releases/download/v4.44.6/checksums

# verify the downloaded file against the maintainer-published checksums list
grep -E ' yq_linux_amd64$' checksums | sha256sum -c -

(If the v4.44.6 release also provides signatures such as checksums.asc / checksums.sig, you’d verify them with gpg --verify <sig> <checksums>; the release assets are the authoritative place to confirm whether those signature files exist for that tag.)

3) lsd-rs/lsd v1.1.5 amd64 .deb

Maintainer-published URL (GitHub release asset)

  • .deb asset name used for v1.1.5 includes: lsd-musl_1.1.5_amd64_xz.deb [3]
    Corresponding GitHub asset URL:
    https://github.com/lsd-rs/lsd/releases/download/v1.1.5/lsd-musl_1.1.5_amd64_xz.deb

Checksums/signatures

  • GitHub release pages for lsd-rs/lsd publish a sha256: value per asset (shown for other releases; use the v1.1.5 release page as the maintainer-published source of the expected hash). [4]
  • This project’s GitHub release flow typically provides hashes (via GitHub UI), not a separate maintainer-signed checksum file; if no .asc/.sig asset exists for v1.1.5, you can only do checksum verification (integrity) rather than cryptographic publisher verification (authenticity). [4]

Verification commands (SHA256)

curl -fLO https://github.com/lsd-rs/lsd/releases/download/v1.1.5/lsd-musl_1.1.5_amd64_xz.deb

# Compare this to the SHA256 shown for that asset on the v1.1.5 GitHub release page
sha256sum lsd-musl_1.1.5_amd64_xz.deb

Sources

[1] Go downloads list (includes go1.23.4.linux-amd64.tar.gz and its SHA256) (go.dev)
[2] mikefarah/yq GitHub releases page showing maintainer β€œchecksums” assets naming (checksums, checksums-bsd, checksums_hashes_order) (github.com)
[3] lsd-musl_1.1.5_amd64_xz.deb filename for v1.1.5 (mirrored listing) (sourceforge.net)
[4] lsd-rs/lsd GitHub releases page showing per-asset sha256: publishing pattern (github.com)

Citations:

🏁 Script executed:

cat -n tools/os_installers/apt.sh | sed -n '200,270p'

Repository: kidchenko/dotfiles

Length of output: 3054

🏁 Script executed:

curl -s "https://api.github.com/repos/lsd-rs/lsd/releases/tags/v1.1.5" | jq -r '.assets[] | .name' | grep -E '\.(deb|tar)' 2>/dev/null || echo "Could not fetch GitHub API (may need to verify manually)"

Repository: kidchenko/dotfiles

Length of output: 727

🏁 Script executed:

curl -s "https://api.github.com/repos/lsd-rs/lsd/releases/tags/v1.1.5" | jq -r '.body' | head -50

Repository: kidchenko/dotfiles

Length of output: 1063

🏁 Script executed:

curl -s "https://api.github.com/repos/lsd-rs/lsd/releases/tags/v1.1.5" | jq -r '.assets[] | .name' | grep -iE '(checksum|sig|asc|sha)' || echo "No checksum/signature files found"

Repository: kidchenko/dotfiles

Length of output: 95

Add artifact integrity verification before privileged install.

Lines 211, 240, and 253 download executables/packages and install/extract with sudo without checksum/signature verification, creating a supply-chain integrity gap. Official verification methods exist for all three:

πŸ” Suggested hardening pattern

For Go (lines 211–214):

     wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
+    wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz.sha256" -O "$TMP_DIR/go.tar.gz.sha256"
+    (cd "$TMP_DIR" && sha256sum -c go.tar.gz.sha256)
     sudo rm -rf /usr/local/go

For yq (line 240):

     wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/checksums" -O "$TMP_DIR/checksums"
+    (cd "$TMP_DIR" && grep ' yq_linux_amd64$' checksums | sha256sum -c -)
     sudo mv "$TMP_DIR/yq" /usr/local/bin/yq

For lsd (line 253), manually specify the expected SHA256 or fetch from the GitHub release page:

     wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb"
+    echo "<SHA256_from_release_page>  $TMP_DIR/lsd.deb" | sha256sum -c -
     sudo dpkg -i "$TMP_DIR/lsd.deb"
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz.sha256" -O "$TMP_DIR/go.tar.gz.sha256"
(cd "$TMP_DIR" && sha256sum -c go.tar.gz.sha256)
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 211 - 214, The installer downloads
and installs privileged artifacts (the Go tarball fetched with wget
"https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" and the yq and lsd
artifacts at the other download sites) without verifying integrity; update the
flow so each download is verified before running sudo install/extract: for the
Go download (variable GO_VERSION and "$TMP_DIR/go.tar.gz") fetch the
corresponding .asc GPG signature and/or SHA256 from the official page and verify
the tarball (import/verifying with the Go release GPG key or compare SHA256),
and only then run sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"; do the same
for the yq and lsd downloads by obtaining their published checksums (or
hardcoding the expected SHA256 for lsd), verify the downloaded files in the
TMP_DIR before any sudo mv/tar/install steps, and fail the script with a clear
error if verification does not pass.

)
fi

# Install Terraform
Expand All @@ -230,19 +233,26 @@ fi
# Install yq
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
(
YQ_VERSION="v4.44.6"
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
)
fi

# Install lsd (LSDeluxe)
echo "Installing lsd..."
if ! command -v lsd &> /dev/null; then
LSD_VERSION="1.1.5"
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
rm "lsd_${LSD_VERSION}_amd64.deb"
(
LSD_VERSION="1.1.5"
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb"
sudo dpkg -i "$TMP_DIR/lsd.deb"
)
fi

# Install Tesseract OCR
Expand Down
Loading