Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix insecure temporary download paths in apt.sh #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kidchenko merged 1 commit into from
Apr 17, 2026
Merged

πŸ›‘οΈ Sentinel: [HIGH] Fix insecure temporary download paths in apt.sh #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Sentinel Security Journal

## 2026-04-16 - Prevent TOCTOU and Symlink Attacks via Insecure Temporary Directories

**Vulnerability:** Shell scripts were downloading executable artifacts directly
to predictable temporary paths like `/tmp/yq` or the current working directory,
which risks local privilege escalation, symlink attacks, and overwriting
existing files when executed with elevated privileges (`sudo`).
**Learning:** Hardcoded temporary paths (`/tmp/...`) are insecure and
susceptible to symlink hijacking by local attackers. Additionally, downloading
directly to the current directory is poor practice and pollutes the workspace
or risks naming collisions.
**Prevention:** Always use securely generated random directories (e.g.,
`TMP_DIR=$(mktemp -d)`) wrapped in a subshell `(...)` and paired with a local
trap (`trap 'rm -rf "$TMP_DIR"' EXIT`) to ensure isolation and automatic
cleanup upon exit.
38 changes: 24 additions & 14 deletions tools/os_installers/apt.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,12 +204,15 @@ fi
# Install Go
echo "Installing Go..."
if ! command -v go &> /dev/null; then
GO_VERSION="1.23.4"
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
rm "go${GO_VERSION}.linux-amd64.tar.gz"
echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
(
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
GO_VERSION="1.23.4"
wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
Comment on lines +211 to +213

@coderabbitai coderabbitai Bot Apr 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What are the official checksum/signature verification instructions for: Go 1.23.4 linux-amd64 tarball, mikefarah/yq v4.44.6 yq_linux_amd64, and lsd-rs/lsd v1.1.5 amd64.deb?

πŸ’‘ Result:

Go 1.23.4 linux-amd64 tarball: No evidence found of Go 1.23.4 release as of 2026-04-16; current stable versions are around 1.26.x per https://go.dev/dl/. Check https://go.dev/dl/ for SHA256 checksum listed in table for go1.23.4.linux-amd64.tar.gz if released, or download go1.23.4.linux-amd64.tar.gz.sha256 from storage.googleapis.com/golang/. mikefarah/yq v4.44.6 yq_linux_amd64: Download from https://github.com/mikefarah/yq/releases/tag/v4.44.6. Download 'checksums' and 'checksums_hashes_order' files. Use extract-checksum.sh script: ./extract-checksum.sh SHA-256 yq_linux_amd64 | sha256sum -c. For signature (recent releases): cosign verify-blob --bundle checksums.bundle checksums (install cosign first). lsd-rs/lsd v1.1.5 amd64.deb: Download lsd_1.1.5_amd64.deb from https://github.com/lsd-rs/lsd/releases/tag/v1.1.5. No official checksums or signatures provided in release assets or docs; verify via GitHub release integrity or compute your own SHA256.

Citations:

🏁 Script executed:

sed -n '205,260p' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 2070

Add artifact integrity verification before privileged install steps for Go and yq.

Downloads are installed via sudo without checksum/signature verification. A compromised release artifact would be executed as root.

Go 1.23.4 and yq v4.44.6 have official checksums available and should be verified before installation:

  • Go: SHA256 checksum available at https://go.dev/dl/ or download go1.23.4.linux-amd64.tar.gz.sha256
  • yq: Checksums available in GitHub release assets; use the provided checksums file with sha256sum -c or cosign verify-blob for signature verification
πŸ” Suggested hardening pattern (Go example) 
 (
     TMP_DIR=$(mktemp -d)
     trap 'rm -rf "$TMP_DIR"' EXIT
     GO_VERSION="1.23.4"
+    GO_SHA256="<official_sha256_from_go.dev>"
     wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
+    echo "${GO_SHA256}  $TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz" | sha256sum -c -
     sudo rm -rf /usr/local/go
     sudo tar -C /usr/local -xzf "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
 )

Apply similar verification to yq release assets.

Note: lsd v1.1.5 does not provide official checksums or signatures in release assets. Consider verifying via GitHub release integrity or evaluating if signature verification is available elsewhere before sudo dpkg -i.

Also applies to lines 240-242 (yq), 253-254 (lsd).

πŸ€– Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 211 - 213, The install steps
download Go and yq into TMP_DIR using wget and then run privileged installs (tar
into /usr/local and dpkg -i for yq/lsd); modify the sequence in the functions or
script block that uses GO_VERSION, TMP_DIR and the yq download lines to first
fetch the corresponding checksum/signature artifact (Go .sha256 or
go<version>.linux-amd64.tar.gz.sha256 and yq's checksums/signature), verify the
downloaded file with sha256sum -c (or cosign verify-blob if a signature is
available) and only proceed to sudo tar -C /usr/local -xzf
"$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz" or sudo dpkg -i for yq/lsd when
verification succeeds; for lsd note that no official checksum may exist so
either skip privileged install until integrity method is available or validate
via GitHub release provenance before invoking sudo dpkg -i.

echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
)
fi

# Install Terraform
Expand All @@ -230,19 +233,26 @@ fi
# Install yq
echo "Installing yq..."
if ! command -v yq &> /dev/null; then
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
sudo mv /tmp/yq /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
(
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
YQ_VERSION="v4.44.6"
wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
sudo chmod +x /usr/local/bin/yq
)
fi

# Install lsd (LSDeluxe)
echo "Installing lsd..."
if ! command -v lsd &> /dev/null; then
LSD_VERSION="1.1.5"
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
rm "lsd_${LSD_VERSION}_amd64.deb"
(
TMP_DIR=$(mktemp -d)
trap 'rm -rf "$TMP_DIR"' EXIT
LSD_VERSION="1.1.5"
wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd_${LSD_VERSION}_amd64.deb"
sudo dpkg -i "$TMP_DIR/lsd_${LSD_VERSION}_amd64.deb"
)
fi

# Install Tesseract OCR
Expand Down
Loading