Update CandyHole.sh

[xematin]

Summary by CodeRabbit

• New Features

  • Configurable, multi-path installer supporting local archives or downloads with progress messaging
  • Server secret key generation and validation during setup with security warnings
  • Enhanced network discovery and MAC address retrieval

• Bug Fixes

  • Improved library compatibility with symbolic link creation and system configuration updates

[coderabbitai]

📝 Walkthrough

Walkthrough

CandyHole.sh was refactored to introduce a configurable, multi-path installation approach for Paqet. The script now supports local archives, dynamic extraction, library compatibility fixes, post-install verification, server secret key generation, and enhanced network discovery with MAC address resolution and user validation prompts.

Changes

Cohort / File(s)	Summary
Installation Configuration CandyHole.sh	Added PAQET_VERSION, PAQET_FILE, PAQET_BINARY, LOCAL_PATH, and DOWNLOAD_URL variables; implemented logic to detect and use local archives from /root before attempting download; dynamic tar extraction and binary relocation with executable permission preservation.
Post-Install Verification & Library Fixes CandyHole.sh	Added paqet --help verification after installation with success/error messaging; introduced libpcap symbolic link creation and ldconfig execution for system library compatibility.
Server Configuration & Secret Management CandyHole.sh	Introduced server secret key generation via paqet secret command with validation and display; differentiated configuration blocks between server (using secret_key) and client (using server_secret_key) setup paths.
Network Discovery & User Interaction CandyHole.sh	Expanded MAC address resolution using arp/ip neigh commands with fallback messaging; added user prompts and validation for IP, port, and secret handling; enhanced progress messaging around preparation, extraction, and binary relocation.

Sequence Diagram

sequenceDiagram
    actor User
    participant Script as CandyHole.sh
    participant LocalFS as Local Filesystem
    participant Download as Download Service
    participant Paqet as Paqet Binary
    participant Config as Configuration

    User->>Script: Initiate installation
    Script->>LocalFS: Check for local archive in /root
    alt Local archive exists
        LocalFS-->>Script: Archive found
        Script->>Script: Extract from local
    else Local archive not found
        LocalFS-->>Script: Not found
        Script->>Download: Fetch Paqet binary
        Download-->>Script: Archive downloaded
        Script->>Script: Extract downloaded
    end
    Script->>Script: Move binary to /usr/local/bin
    Script->>LocalFS: Create libpcap symlink
    Script->>Paqet: Run paqet --help (verify)
    Paqet-->>Script: Verification result
    alt Server setup
        Script->>Paqet: Execute paqet secret
        Paqet-->>Script: Generate secret_key
        Script->>User: Display secret_key warning
    end
    Script->>Script: Detect IP & MAC address
    Script->>Config: Generate YAML configuration
    Config-->>Script: Configuration ready
    Script->>User: Installation complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 From local paths and downloads so swift,
This script receives installation's gift!
Secrets are generated, configs take form,
Libraries linked—our burrow stays warm,
Verification hops merrily through! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'Update CandyHole.sh' is too generic and vague; it fails to convey the specific, substantial changes made (configurable installer, library fixes, verification, secret key generation).	Use a more descriptive title that highlights the main changes, such as 'Add configurable Paqet installer with verification and secret key generation' or 'Enhance CandyHole.sh with dynamic installer and post-install checks'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CandyHole.sh`:
- Around line 288-307: The script relies on the caller's CWD and doesn't
validate file operations; create and use a dedicated temp working directory
(mktemp -d) before using LOCAL_PATH/DOWNLOAD_URL/PAQET_FILE to avoid clobbering
unrelated files, run show_progress around safe downloads and check wget's exit
code and that PAQET_FILE exists and is a regular file before extraction, ensure
tar extraction succeeds (check exit code), validate PAQET_BINARY exists after
extraction and before moving, and then atomically install to
/usr/local/bin/paqet (or another intended destination) while checking
mv/permission errors and failing fast (exit non-zero) on any step so installs
are directory-safe and reliably validated.
- Around line 285-301: Add SHA256 integrity checks before extracting PAQET_FILE:
after using LOCAL_PATH or downloading via DOWNLOAD_URL (the blocks using
print_info/show_progress/wget and variable PAQET_FILE), compute and verify the
archive's SHA256 against a trusted expected hash (or by downloading a signed
checksum file) using sha256sum -c (or equivalent), and abort with print_error
and exit 1 if verification fails; ensure both the local-file branch (LOCAL_PATH)
and the download branch perform the same verification prior to calling tar -xzf,
and include clear error logging on mismatch.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 47c985e and 85f8b9b.

📒 Files selected for processing (1)

• CandyHole.sh

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

PAQET_VERSION="v1.0.0-alpha.13"
PAQET_FILE="paqet-linux-amd64-${PAQET_VERSION}.tar.gz"
BASE_URL="https://github.com/hanselime/paqet/releases/download/${PAQET_VERSION}"

echo "[1] Checking release existence and assets:"
curl -fsSL "https://api.github.com/repos/hanselime/paqet/releases/tags/${PAQET_VERSION}" 2>/dev/null | \
  jq -r '.assets[]?.name' 2>/dev/null || echo "Release not found or API unreachable"

echo ""
echo "[2] Attempting to download archive metadata:"
curl -fsSLI "${BASE_URL}/${PAQET_FILE}" 2>/dev/null | head -5 || echo "Download URL not accessible"

Repository: AmiRCandy/CandyHole

Length of output: 628

---

🏁 Script executed:

#!/bin/bash
# Verify the current CandyHole.sh implementation at lines 285-301
cd /repo 2>/dev/null || cd . 
if [ -f "CandyHole.sh" ]; then
  echo "=== Lines 285-301 of CandyHole.sh ==="
  sed -n '285,301p' CandyHole.sh
  echo ""
  echo "=== Checking for sha256sum/checksum validation in entire file ==="
  grep -n "sha256\|checksum\|gpg\|verify\|signature" CandyHole.sh || echo "No checksum/signature validation found"
else
  echo "CandyHole.sh not found"
fi

Repository: AmiRCandy/CandyHole

Length of output: 627

---

Add checksum verification before extracting archive in root installer.

Lines 291 and 300 download and extract untrusted artifacts without integrity validation. Running as root, this creates a critical supply-chain risk—any MITM attack, corrupted download, or repository compromise directly executes arbitrary code with full privileges.

The upstream release exists and includes the expected Linux asset. Add SHA256 verification:

Verification details and hardening patch

Evidence:

• Upstream release v1.0.0-alpha.13 exists with paqet-linux-amd64-v1.0.0-alpha.13.tar.gz
• No integrity checks exist anywhere in CandyHole.sh (confirmed via full file scan)
• wget+tar sequence executes without validation

Hardened implementation:

 PAQET_VERSION="v1.0.0-alpha.13"
 PAQET_FILE="paqet-linux-amd64-${PAQET_VERSION}.tar.gz"
 PAQET_BINARY="paqet_linux_amd64"
 LOCAL_PATH="/root/${PAQET_FILE}"
 DOWNLOAD_URL="https://github.com/hanselime/paqet/releases/download/${PAQET_VERSION}/${PAQET_FILE}"
+PAQET_SHA256="<pin-expected-sha256>"
+WORKDIR="$(mktemp -d /tmp/paqet.XXXXXX)"
+trap 'rm -rf "$WORKDIR"' EXIT
 
 # Check if file exists in /root
 if [ -f "$LOCAL_PATH" ]; then
     print_info "Found Paqet archive in /root. Using local file."
-    cp "$LOCAL_PATH" .
+    cp "$LOCAL_PATH" "$WORKDIR/$PAQET_FILE"
 else
     show_progress "Downloading Paqet"
-    wget "$DOWNLOAD_URL"
+    wget -O "$WORKDIR/$PAQET_FILE" "$DOWNLOAD_URL"
     if [ $? -ne 0 ]; then
         print_error "Failed to download Paqet"
         exit 1
     fi
 fi
 
 # Extract archive
 show_progress "Extracting Paqet archive"
+echo "${PAQET_SHA256}  $WORKDIR/$PAQET_FILE" | sha256sum -c -
+if [ $? -ne 0 ]; then
+    print_error "Paqet archive checksum verification failed"
+    exit 1
+fi
-tar -xzf "$PAQET_FILE"
+tar -xzf "$WORKDIR/$PAQET_FILE" -C "$WORKDIR"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CandyHole.sh` around lines 285 - 301, Add SHA256 integrity checks before
extracting PAQET_FILE: after using LOCAL_PATH or downloading via DOWNLOAD_URL
(the blocks using print_info/show_progress/wget and variable PAQET_FILE),
compute and verify the archive's SHA256 against a trusted expected hash (or by
downloading a signed checksum file) using sha256sum -c (or equivalent), and
abort with print_error and exit 1 if verification fails; ensure both the
local-file branch (LOCAL_PATH) and the download branch perform the same
verification prior to calling tar -xzf, and include clear error logging on
mismatch.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make installation directory-safe and fail fast on file ops.

Line 288/Line 300 depend on caller CWD, and Line 307 doesn’t validate install success. This can break installs or overwrite unrelated files.

🧰 Proposed reliability patch

 if [ -f "$LOCAL_PATH" ]; then
     print_info "Found Paqet archive in /root. Using local file."
-    cp "$LOCAL_PATH" .
+    cp "$LOCAL_PATH" "$WORKDIR/$PAQET_FILE" || { print_error "Failed to copy local archive"; exit 1; }
 else
     show_progress "Downloading Paqet"
-    wget "$DOWNLOAD_URL"
+    wget -O "$WORKDIR/$PAQET_FILE" "$DOWNLOAD_URL"
     if [ $? -ne 0 ]; then
         print_error "Failed to download Paqet"
         exit 1
     fi
 fi
 
 # Extract archive
 show_progress "Extracting Paqet archive"
-tar -xzf "$PAQET_FILE"
+tar -xzf "$WORKDIR/$PAQET_FILE" -C "$WORKDIR"
 if [ $? -ne 0 ]; then
     print_error "Failed to extract Paqet archive"
     exit 1
 fi
 
 # Move binary
-mv "$PAQET_BINARY" /usr/local/bin/paqet
+install -m 0755 "$WORKDIR/$PAQET_BINARY" /usr/local/bin/paqet
+if [ $? -ne 0 ]; then
+    print_error "Failed to install Paqet binary"
+    exit 1
+fi
 chmod +x /usr/local/bin/paqet

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CandyHole.sh` around lines 288 - 307, The script relies on the caller's CWD
and doesn't validate file operations; create and use a dedicated temp working
directory (mktemp -d) before using LOCAL_PATH/DOWNLOAD_URL/PAQET_FILE to avoid
clobbering unrelated files, run show_progress around safe downloads and check
wget's exit code and that PAQET_FILE exists and is a regular file before
extraction, ensure tar extraction succeeds (check exit code), validate
PAQET_BINARY exists after extraction and before moving, and then atomically
install to /usr/local/bin/paqet (or another intended destination) while checking
mv/permission errors and failing fast (exit non-zero) on any step so installs
are directory-safe and reliably validated.