From 2ab75177374ae4c55e20c33d331e58e726e28ccb Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 20 Apr 2026 04:58:43 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[security?=
 =?UTF-8?q?=20improvement]=20Secure=20composer-setup.php=20download=20with?=
 =?UTF-8?q?=20mktemp?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md         | 15 ++++++++++++++-
 tools/os_installers/apt.sh | 24 +++++++++++++-----------
 2 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index 0880885..95907a2 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -13,7 +13,6 @@ second.
 **Prevention:** Wrap commands that create sensitive files in a subshell using
 `umask 077` to ensure the file is created with secure permissions (`600`)
 natively.
-# Sentinel Security Journal
 
 ## 2026-04-16 - Prevent TOCTOU and Symlink Attacks via Insecure Temporary Directories
 
@@ -29,3 +28,17 @@ or risks naming collisions.
 `TMP_DIR=$(mktemp -d)`) wrapped in a subshell `(...)` and paired with a local
 trap (`trap 'rm -rf "$TMP_DIR"' EXIT`) to ensure isolation and automatic
 cleanup upon exit.
+
+## 2026-04-20 - Insecure executable artifact download location
+
+**Vulnerability:** Downloaded executable script (`composer-setup.php`) directly
+to the current working directory in an installation script.
+
+**Learning:** Downloading files directly to the current directory is insecure
+because it might overwrite existing files or leave executable artifacts
+susceptible to modification before execution, especially in scripts that may run
+with elevated privileges.
+
+**Prevention:** Always use securely generated isolated temporary directories via
+`mktemp -d`, and wrap the setup in a subshell `(...)` with an automatic `trap`
+to ensure secure handling and cleanup.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 5f2b2df..cad1814 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -262,17 +262,19 @@ sudo apt install -y tesseract-ocr
 # Install PHP Composer
 echo "Installing Composer..."
 if ! command -v composer &> /dev/null; then
-    EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
-    php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
-    ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', 'composer-setup.php');")"
-
-    if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
-        sudo php composer-setup.php --quiet --install-dir=/usr/local/bin --filename=composer
-        rm composer-setup.php
-    else
-        >&2 echo 'ERROR: Invalid installer checksum for Composer'
-        rm composer-setup.php
-    fi
+    (
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        EXPECTED_CHECKSUM="$(php -r 'copy("https://composer.github.io/installer.sig", "php://stdout");')"
+        php -r "copy('https://getcomposer.org/installer', '$TMP_DIR/composer-setup.php');"
+        ACTUAL_CHECKSUM="$(php -r "echo hash_file('sha384', '$TMP_DIR/composer-setup.php');")"
+
+        if [ "$EXPECTED_CHECKSUM" = "$ACTUAL_CHECKSUM" ]; then
+            sudo php "$TMP_DIR/composer-setup.php" --quiet --install-dir=/usr/local/bin --filename=composer
+        else
+            >&2 echo 'ERROR: Invalid installer checksum for Composer'
+        fi
+    )
 fi
 
 # Clean up