From 9a218bd1dfbb45dd326356347af56e9d1745d074 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 11 Apr 2026 04:59:47 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?=
 =?UTF-8?q?x=20insecure=20temporary=20file=20usage=20in=20apt.sh?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🚨 Severity: HIGH
💡 Vulnerability: Predictable temporary file path `/tmp/yq` used during the download and installation of `yq`.
🎯 Impact: Hardcoding `/tmp/yq` allows a malicious local user to pre-create `/tmp/yq` (e.g., as a symlink or with specific permissions), leading to potential privilege escalation or overriding of arbitrary files when `sudo mv /tmp/yq /usr/local/bin/yq` is executed.
🔧 Fix: Replaced the hardcoded `/tmp/yq` download and move logic with a subshell that creates a secure temporary directory using `mktemp -d` and implements an `EXIT` trap to guarantee cleanup.
✅ Verification: Ran `./build.sh` (ShellCheck passed) and reviewed the patch.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md         | 15 +++++++++++++++
 tools/os_installers/apt.sh | 10 +++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..d2b9aa2
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,15 @@
+# Sentinel Journal
+
+## 2024-04-11 - [Insecure Temporary File Usage for yq Download]
+
+**Vulnerability:** Predictable temporary file path `/tmp/yq` used during
+download and installation in `tools/os_installers/apt.sh`.
+
+**Learning:** Hardcoding `/tmp/yq` allows a malicious local user to pre-create
+`/tmp/yq` (e.g., as a symlink or with specific permissions), leading to potential
+privilege escalation or overriding of files when `sudo mv /tmp/yq ...` is
+executed.
+
+**Prevention:** Always use securely generated random directories like
+`mktemp -d` and wrap in a subshell with a cleanup trap to prevent local
+privilege escalation and symlink attacks.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..d233a3e 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -231,9 +231,13 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
-    sudo chmod +x /usr/local/bin/yq
+    (
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+        sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
+        sudo chmod +x /usr/local/bin/yq
+    )
 fi
 
 # Install lsd (LSDeluxe)