From c3703cf76e51063f32ee517c9069bcdf00544dc4 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 05:10:17 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?= =?UTF-8?q?x=20insecure=20temporary=20download=20paths=20in=20apt.sh?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaced hardcoded `/tmp/...` paths and current directory downloads with securely generated temporary directories (`mktemp -d`) in `tools/os_installers/apt.sh`. Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com> --- .jules/sentinel.md | 16 ++++++++++++++++ tools/os_installers/apt.sh | 38 ++++++++++++++++++++++++-------------- 2 files changed, 40 insertions(+), 14 deletions(-) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..8cfef1b --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,16 @@ +# Sentinel Security Journal + +## 2026-04-16 - Prevent TOCTOU and Symlink Attacks via Insecure Temporary Directories + +**Vulnerability:** Shell scripts were downloading executable artifacts directly +to predictable temporary paths like `/tmp/yq` or the current working directory, +which risks local privilege escalation, symlink attacks, and overwriting +existing files when executed with elevated privileges (`sudo`). +**Learning:** Hardcoded temporary paths (`/tmp/...`) are insecure and +susceptible to symlink hijacking by local attackers. Additionally, downloading +directly to the current directory is poor practice and pollutes the workspace +or risks naming collisions. +**Prevention:** Always use securely generated random directories (e.g., +`TMP_DIR=$(mktemp -d)`) wrapped in a subshell `(...)` and paired with a local +trap (`trap 'rm -rf "$TMP_DIR"' EXIT`) to ensure isolation and automatic +cleanup upon exit. diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh index 156016b..5f2b2df 100644 --- a/tools/os_installers/apt.sh +++ b/tools/os_installers/apt.sh @@ -204,12 +204,15 @@ fi # Install Go echo "Installing Go..." if ! command -v go &> /dev/null; then - GO_VERSION="1.23.4" - wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" - sudo rm -rf /usr/local/go - sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz" - rm "go${GO_VERSION}.linux-amd64.tar.gz" - echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile" + ( + TMP_DIR=$(mktemp -d) + trap 'rm -rf "$TMP_DIR"' EXIT + GO_VERSION="1.23.4" + wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz" + sudo rm -rf /usr/local/go + sudo tar -C /usr/local -xzf "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz" + echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile" + ) fi # Install Terraform @@ -230,19 +233,26 @@ fi # Install yq echo "Installing yq..." if ! command -v yq &> /dev/null; then - YQ_VERSION="v4.44.6" - wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq - sudo mv /tmp/yq /usr/local/bin/yq - sudo chmod +x /usr/local/bin/yq + ( + TMP_DIR=$(mktemp -d) + trap 'rm -rf "$TMP_DIR"' EXIT + YQ_VERSION="v4.44.6" + wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq" + sudo mv "$TMP_DIR/yq" /usr/local/bin/yq + sudo chmod +x /usr/local/bin/yq + ) fi # Install lsd (LSDeluxe) echo "Installing lsd..." if ! command -v lsd &> /dev/null; then - LSD_VERSION="1.1.5" - wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" - sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb" - rm "lsd_${LSD_VERSION}_amd64.deb" + ( + TMP_DIR=$(mktemp -d) + trap 'rm -rf "$TMP_DIR"' EXIT + LSD_VERSION="1.1.5" + wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd_${LSD_VERSION}_amd64.deb" + sudo dpkg -i "$TMP_DIR/lsd_${LSD_VERSION}_amd64.deb" + ) fi # Install Tesseract OCR