Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix insecure temporary file usage in apt.sh #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
kidchenko wants to merge 1 commit into from
Closed

πŸ›‘οΈ Sentinel: [HIGH] Fix insecure temporary file usage in apt.sh #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Sentinel Journal

## 2024-04-11 - [Insecure Temporary File Usage for yq Download]

@coderabbitai coderabbitai Bot Apr 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟑 Minor

Fix the journal date to match this PR event.

The entry says 2024-04-11, but this PR is from 2026-04-11. Please correct the date to avoid audit/history confusion.

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md at line 3, The journal entry header "## 2024-04-11 -
[Insecure Temporary File Usage for yq Download]" has the wrong year; update that
header to "## 2026-04-11 - [Insecure Temporary File Usage for yq Download]" so
the sentinel.md date matches this PR event and preserves accurate audit history.


**Vulnerability:** Predictable temporary file path `/tmp/yq` used during
download and installation in `tools/os_installers/apt.sh`.

**Learning:** Hardcoding `/tmp/yq` allows a malicious local user to pre-create
`/tmp/yq` (e.g., as a symlink or with specific permissions), leading to potential
privilege escalation or overriding of files when `sudo mv /tmp/yq ...` is
executed.

**Prevention:** Always use securely generated random directories like
`mktemp -d` and wrap in a subshell with a cleanup trap to prevent local
privilege escalation and symlink attacks.
10 changes: 7 additions & 3 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,9 +231,13 @@ fi
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
(
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
Comment on lines +237 to +239

@coderabbitai coderabbitai Bot Apr 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether the yq install flow includes integrity verification primitives.
rg -n -C3 'yq/releases/download|sha256sum|shasum|gpg|cosign' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 2629

🏁 Script executed:

# Check for any sha256 or sig file handling in the yq install block
rg -n -B10 -A5 'yq_linux_amd64' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 577

🏁 Script executed:

# Also check if there's a separate verification step after the download
rg -n -B2 -A10 'YQ_VERSION' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 715

Add integrity verification before privileged install of yq.

The script downloads an executable and installs it with sudo without checksum or signature validation. A compromised release artifact would be installed as root. While other tools in this script (GitHub CLI, Docker, Yarn, Terraform) use GPG key verification, yq bypasses this security practice. Add SHA256 verification before the privileged install:

Suggested hardening patch 
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
+    YQ_SHA256="<pin-sha256-for-yq_linux_amd64>"
     (
         TMP_DIR=$(mktemp -d)
         trap 'rm -rf "$TMP_DIR"' EXIT
         wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+        echo "${YQ_SHA256}  $TMP_DIR/yq" | sha256sum -c -
         sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
         sudo chmod +x /usr/local/bin/yq
     )
 fi
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
YQ_SHA256="<pin-sha256-for-yq_linux_amd64>"
(
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
echo "${YQ_SHA256} $TMP_DIR/yq" | sha256sum -c -
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
)
fi
πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 237 - 239, The download/install of
yq (using YQ_VERSION and TMP_DIR to write /usr/local/bin/yq) lacks integrity
verification before running sudo mv/chmod; add SHA256 verification by obtaining
a trusted checksum (e.g. a YQ_SHA256 variable or downloading the release
checksum alongside the binary), compute the downloaded file's sha256 (using
sha256sum or shasum -a 256) and compare it to the expected value, abort with a
clear error if the check fails, and only run sudo mv /usr/local/bin/yq and sudo
chmod +x after the checksum passes.

)
fi

# Install lsd (LSDeluxe)
Expand Down
Loading