🛡️ Sentinel: [HIGH] Fix insecure temporary file handling

[kidchenko]

🚨 Severity: HIGH
💡 Vulnerability: A script (tools/os_installers/apt.sh) was hardcoding the temporary download path for a binary (/tmp/yq) before moving it to its final destination using sudo mv.
🎯 Impact: Hardcoding paths in shared temporary directories like /tmp creates a Time-of-Check to Time-of-Use (TOCTOU) race condition and enables symlink attacks. An attacker could pre-create a symlink at /tmp/yq pointing to a sensitive file, causing it to be overwritten or modified when the script executes with elevated privileges (sudo).
🔧 Fix: Replaced the hardcoded path with a securely generated directory using mktemp -d to handle downloads before moving them with sudo. Documented the learning in .jules/sentinel.md.
✅ Verification: Run ./build.sh lint to verify that tools/os_installers/apt.sh passes linting and syntax checks successfully. Read .jules/sentinel.md to confirm the journal entry.

---

PR created automatically by Jules for task 5261296992179502194 started by @kidchenko

Summary by CodeRabbit

• Documentation

  • Added security advisory documentation describing insecure temporary file vulnerabilities and mitigation strategies.

• Bug Fixes

  • Enhanced OS installer to use secure temporary directories instead of hardcoded paths, reducing TOCTOU race condition and symlink attack risks.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new security advisory documentation file is added, and an OS installer script is updated to use secure temporary directory creation instead of a hardcoded temporary path for the yq binary download and installation process.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New advisory documenting insecure temporary file usage vulnerability in OS installers, noting TOCTOU and symlink attack risks, with recommendation to use mktemp -d for secure temporary directories.
Temporary File Handling tools/os_installers/apt.sh	Modifies yq installation flow to use mktemp -d for creating a secure temporary directory instead of hardcoding /tmp/yq, includes permission preservation and cleanup of temporary directory.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A bunny hopped through /tmp so grim,
Where symlinks lurked and odds were slim,
But mktemp -d came to save the day,
Now files are safe in every way! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title identifies the main change (fixing insecure temporary file handling) and matches the primary objective, but includes an emoji and severity marker that add noise to what should be a concise, clear summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel-fix-apt-tmp-5261296992179502194

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

tools/os_installers/apt.sh (1)

234-238: Register an EXIT trap for YQ_TMP_DIR cleanup.

This fixes the predictable temp path, but cleanup is still best-effort. With set -e, any failure before Line 238 leaves the temp directory behind.

Proposed change

     YQ_VERSION="v4.44.6"
     YQ_TMP_DIR=$(mktemp -d)
+    trap 'rm -rf "$YQ_TMP_DIR"' EXIT
     wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$YQ_TMP_DIR/yq"
     sudo mv "$YQ_TMP_DIR/yq" /usr/local/bin/yq
     sudo chmod +x /usr/local/bin/yq
     rm -rf "$YQ_TMP_DIR"
+    trap - EXIT

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 234 - 238, The temp directory
created in the YQ installation block (YQ_TMP_DIR=$(mktemp -d)) can be left
behind if the script exits early; add a trap to delete "$YQ_TMP_DIR" on EXIT so
cleanup always runs. Specifically, after creating YQ_TMP_DIR, register a trap
'trap "rm -rf \"$YQ_TMP_DIR\"" EXIT' (or equivalent) and ensure the existing
explicit rm -rf "$YQ_TMP_DIR" remains (the trap will be a no-op if already
removed); reference YQ_TMP_DIR, mktemp, and the existing rm -rf line when
applying the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Line 1: The advisory heading currently reads "## 2025-03-06 - [Insecure
Temporary File Usage in OS Installer]" but should reflect the PR date; update
that heading to "## 2026-03-06 - [Insecure Temporary File Usage in OS
Installer]" so the record matches PR `#50`'s March 6, 2026 creation date; edit the
top-line heading string in .jules/sentinel.md to replace 2025-03-06 with
2026-03-06.
- Around line 1-4: The new entry titled "2025-03-06 - [Insecure Temporary File
Usage in OS Installer]" violates markdownlint rules MD041, MD022 and MD013; fix
it by ensuring the document has a single top-level heading (add an H1 before
this entry or change this heading to a lower-level heading consistent with the
file’s structure to satisfy MD041), ensure there is exactly one blank line after
the heading (MD022), and wrap long lines in the body to respect the repository
line-length policy (MD013) by breaking the long sentences (e.g., the
Vulnerability/Learning/Prevention lines) into shorter lines or paragraphs
without changing content meaning.

---

Nitpick comments:
In `@tools/os_installers/apt.sh`:
- Around line 234-238: The temp directory created in the YQ installation block
(YQ_TMP_DIR=$(mktemp -d)) can be left behind if the script exits early; add a
trap to delete "$YQ_TMP_DIR" on EXIT so cleanup always runs. Specifically, after
creating YQ_TMP_DIR, register a trap 'trap "rm -rf \"$YQ_TMP_DIR\"" EXIT' (or
equivalent) and ensure the existing explicit rm -rf "$YQ_TMP_DIR" remains (the
trap will be a no-op if already removed); reference YQ_TMP_DIR, mktemp, and the
existing rm -rf line when applying the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e9ab22e5-dcfc-484c-917a-ef1b44b1d763

📥 Commits

Reviewing files that changed from the base of the PR and between cb5949a and ad9441a.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the advisory date in the heading.

Line 1 says 2025-03-06, but PR #50 was opened on March 6, 2026. If this heading is meant to record when the advisory was added, it is off by one year and will make the journal misleading.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-03-06 - [Insecure Temp..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-03-06 - [Insecure Temporary File Usage in OS Installer]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md at line 1, The advisory heading currently reads "##
2025-03-06 - [Insecure Temporary File Usage in OS Installer]" but should reflect
the PR date; update that heading to "## 2026-03-06 - [Insecure Temporary File
Usage in OS Installer]" so the record matches PR `#50`'s March 6, 2026 creation
date; edit the top-line heading string in .jules/sentinel.md to replace
2025-03-06 with 2026-03-06.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Make the new entry markdownlint-clean.

This block currently trips MD041, MD022, and MD013, so ./build.sh lint will stay red until the heading level and line wrapping are fixed.

Proposed change

-## 2025-03-06 - [Insecure Temporary File Usage in OS Installer]
-**Vulnerability:** A script (`tools/os_installers/apt.sh`) was hardcoding the temporary download path for a binary (`/tmp/yq`) before moving it to its final destination using `sudo mv`.
-**Learning:** Hardcoding paths in shared temporary directories like `/tmp` creates a Time-of-Check to Time-of-Use (TOCTOU) race condition and enables symlink attacks. An attacker could pre-create a symlink at `/tmp/yq` pointing to a sensitive file, causing it to be overwritten or modified when the script executes with elevated privileges (`sudo`).
-**Prevention:** Use `mktemp -d` to securely generate a unique temporary directory for downloads or intermediate files, rather than relying on predictable paths, especially before executing commands with elevated privileges.
+# 2026-03-06 - Insecure Temporary File Usage in OS Installer
+
+**Vulnerability:** A script (`tools/os_installers/apt.sh`) hardcoded the
+temporary download path for a binary (`/tmp/yq`) before moving it to its final
+destination with `sudo mv`.
+
+**Learning:** Hardcoding paths in shared temporary directories like `/tmp`
+creates a Time-of-Check to Time-of-Use (TOCTOU) race condition and enables
+symlink attacks. An attacker could pre-create a symlink at `/tmp/yq` pointing
+to a sensitive file, causing it to be overwritten or modified when the script
+executes with elevated privileges (`sudo`).
+
+**Prevention:** Use `mktemp -d` to securely generate a unique temporary
+directory for downloads or intermediate files rather than relying on
+predictable paths, especially before executing commands with elevated
+privileges.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2025-03-06 - [Insecure Temporary File Usage in OS Installer]
	**Vulnerability:** A script (`tools/os_installers/apt.sh`) was hardcoding the temporary download path for a binary (`/tmp/yq`) before moving it to its final destination using `sudo mv`.
	**Learning:** Hardcoding paths in shared temporary directories like `/tmp` creates a Time-of-Check to Time-of-Use (TOCTOU) race condition and enables symlink attacks. An attacker could pre-create a symlink at `/tmp/yq` pointing to a sensitive file, causing it to be overwritten or modified when the script executes with elevated privileges (`sudo`).
	**Prevention:** Use `mktemp -d` to securely generate a unique temporary directory for downloads or intermediate files, rather than relying on predictable paths, especially before executing commands with elevated privileges.
	# 2026-03-06 - Insecure Temporary File Usage in OS Installer
	**Vulnerability:** A script (`tools/os_installers/apt.sh`) hardcoded the
	temporary download path for a binary (`/tmp/yq`) before moving it to its final
	destination with `sudo mv`.
	**Learning:** Hardcoding paths in shared temporary directories like `/tmp`
	creates a Time-of-Check to Time-of-Use (TOCTOU) race condition and enables
	symlink attacks. An attacker could pre-create a symlink at `/tmp/yq` pointing
	to a sensitive file, causing it to be overwritten or modified when the script
	executes with elevated privileges (`sudo`).
	**Prevention:** Use `mktemp -d` to securely generate a unique temporary
	directory for downloads or intermediate files rather than relying on
	predictable paths, especially before executing commands with elevated
	privileges.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 223] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 349] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 185] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-03-06 - [Insecure Temp..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-03-06 - [Insecure Temporary File Usage in OS Installer]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, The new entry titled "2025-03-06 -
[Insecure Temporary File Usage in OS Installer]" violates markdownlint rules
MD041, MD022 and MD013; fix it by ensuring the document has a single top-level
heading (add an H1 before this entry or change this heading to a lower-level
heading consistent with the file’s structure to satisfy MD041), ensure there is
exactly one blank line after the heading (MD022), and wrap long lines in the
body to respect the repository line-length policy (MD013) by breaking the long
sentences (e.g., the Vulnerability/Learning/Prevention lines) into shorter lines
or paragraphs without changing content meaning.