From 05771ef15eef1c66c1f04c5282770ccb1afe3eaf Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 04:43:28 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20insecure=20temp=20files=20and=20direct=20downloads=20i?=
 =?UTF-8?q?n=20apt.sh?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit addresses a critical local privilege escalation and insecure file handling vulnerability in `tools/os_installers/apt.sh`.

Previously, the script downloaded artifacts to predictable temporary paths (`/tmp/yq`) or directly into the current working directory, which risks symlink attacks (especially with `sudo mv`) and leaves artifacts behind.

The fix introduces secure temporary directory creation using `mktemp -d` within isolated subshells and utilizes `EXIT` traps to ensure reliable cleanup.
It applies this secure pattern to the `yq`, `go`, and `lsd` installations.

A journal entry has also been added to `.jules/sentinel.md` documenting this finding.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md         | 17 +++++++++++++++++
 tools/os_installers/apt.sh | 32 +++++++++++++++++++++-----------
 2 files changed, 38 insertions(+), 11 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..cdf8d29
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,17 @@
+# Sentinel Security Journal
+
+## 2025-04-17 - Insecure Temporary Files and Direct Downloads in Installation Scripts
+
+**Vulnerability:** Predictable temporary files and direct downloads to the
+current working directory in `tools/os_installers/apt.sh`.
+
+**Learning:** Installation scripts often download artifacts. Using predictable
+paths like `/tmp/yq` allows local attackers to overwrite or predict the file,
+leading to potential privilege escalation (especially since the script uses
+`sudo`). Additionally, downloading archives directly to the current working
+directory is an insecure practice as it risks overwriting existing files or
+leaving artifacts behind.
+
+**Prevention:** Always use securely generated temporary directories via
+`mktemp -d` within a subshell, and use a `trap 'rm -rf "$TMP_DIR"' EXIT` for
+safe cleanup, rather than predictable paths or the current directory.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..4f9241d 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -205,11 +205,14 @@ fi
 echo "Installing Go..."
 if ! command -v go &> /dev/null; then
     GO_VERSION="1.23.4"
-    wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz"
-    sudo rm -rf /usr/local/go
-    sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"
-    rm "go${GO_VERSION}.linux-amd64.tar.gz"
-    echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
+    (
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go.tar.gz"
+        sudo rm -rf /usr/local/go
+        sudo tar -C /usr/local -xzf "$TMP_DIR/go.tar.gz"
+        echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
+    )
 fi
 
 # Install Terraform
@@ -231,18 +234,25 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
-    sudo chmod +x /usr/local/bin/yq
+    (
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+        sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
+        sudo chmod +x /usr/local/bin/yq
+    )
 fi
 
 # Install lsd (LSDeluxe)
 echo "Installing lsd..."
 if ! command -v lsd &> /dev/null; then
     LSD_VERSION="1.1.5"
-    wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb"
-    sudo dpkg -i "lsd_${LSD_VERSION}_amd64.deb"
-    rm "lsd_${LSD_VERSION}_amd64.deb"
+    (
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd_${LSD_VERSION}_amd64.deb" -O "$TMP_DIR/lsd.deb"
+        sudo dpkg -i "$TMP_DIR/lsd.deb"
+    )
 fi
 
 # Install Tesseract OCR