🛡️ Sentinel: [HIGH] Fix insecure temporary file usage

[kidchenko]

🚨 Severity: HIGH
💡 Vulnerability: The tools/os_installers/apt.sh script downloads yq to a predictable temporary file path (/tmp/yq) and then moves it using sudo. This exposes the system to symlink attacks and local privilege escalation. Other downloads (Go, lsd) pull files into the current working directory, which is untidy and potentially problematic.
🎯 Impact: A local attacker could pre-create a symlink at /tmp/yq pointing to a critical system file, causing the subsequent sudo mv command to overwrite the target.
🔧 Fix: Used mktemp -d to create a securely generated temporary directory for downloading yq, Go, and lsd, ensuring downloads are isolated and safe before being processed.
✅ Verification: Ran ./build.sh to ensure script syntax is valid, manually inspected tools/os_installers/apt.sh logic, and successfully received a correct rating on automated code review.

---

PR created automatically by Jules for task 9613855591027540940 started by @kidchenko

Summary by CodeRabbit

Bug Fixes

• Enhanced security of OS installer scripts by implementing secure temporary directory handling for downloaded artifacts. The changes prevent insecure temporary file usage patterns that could lead to local privilege escalation and installation conflicts.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation was added describing a historical security vulnerability in OS installer scripts involving insecure temporary file handling. The apt.sh installer script was updated to use securely generated temporary directories via mktemp -d for all downloads and intermediate files instead of relying on predictable paths and the current working directory.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	Added entry documenting the insecure temporary file vulnerability and remediation approach.
OS Installer Security Hardening tools/os_installers/apt.sh	Refactored Go, yq, and lsd installation steps to use secure temporary directories created via mktemp -d for downloads and intermediate artifacts, with proper cleanup of each temporary directory scope.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hops through scripts with a whispered "yay!
Temp files safe in mktemp's way,
No more /tmp predictable fears,
Security whiskers, three cheers! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main security fix: replacing insecure temporary file usage with secure temporary directories in the installation scripts, which is the primary change across both modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/fix-insecure-tmp-files-9613855591027540940

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

tools/os_installers/apt.sh (1)

208-212: Make temp-dir cleanup run on failure too.

With set -e, any error between mktemp -d and the trailing rm -rf exits the script early and leaves the temp directory behind. Wrapping each download/install step in a subshell with an EXIT trap would preserve the cleanup guarantee on both success and failure.

Example pattern for the Go block

 if ! command -v go &> /dev/null; then
     GO_VERSION="1.23.4"
-    TMP_DIR=$(mktemp -d)
-    wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
-    sudo rm -rf /usr/local/go
-    sudo tar -C /usr/local -xzf "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
-    rm -rf "$TMP_DIR"
+    (
+        TMP_DIR=$(mktemp -d)
+        trap 'rm -rf "$TMP_DIR"' EXIT
+        wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
+        sudo rm -rf /usr/local/go
+        sudo tar -C /usr/local -xzf "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
+    )
     echo "NOTE: Add 'export PATH=\$PATH:/usr/local/go/bin' to your shell profile"
 fi

Apply the same pattern to the yq and lsd blocks.

Also applies to: 235-239, 246-249

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 208 - 212, The temp-dir created by
TMP_DIR=$(mktemp -d) is not guaranteed to be removed if any command fails; wrap
the Go download/install sequence (the TMP_DIR creation, wget, tar extraction,
and final rm -rf) in a short-lived block/subshell that sets a trap on EXIT to
remove "$TMP_DIR" (and clears the trap on success) so cleanup runs on both
success and failure; apply the same pattern to the yq and lsd blocks (their
mktemp/TMP_DIR, wget/curl and unpack/remove sequences) and reference the same
symbols (TMP_DIR, mktemp, wget/curl, tar, rm -rf, and the EXIT trap) when
implementing the fix.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Update the dated entry header "2025-03-07 - [Fix Insecure
Temporary File Usage in OS Installers]" to the correct PR date (2026-03-07),
promote that heading to H1 (prepend a single "# "), ensure there is a blank line
above and below the heading, and reflow the prose paragraphs in that block so
lines are wrapped to the repo's preferred width (fixing MD013) and satisfy
MD022/MD041 heading-level and blank-line rules.

In `@tools/os_installers/apt.sh`:
- Around line 208-212: The script currently downloads and unpacks remote release
artifacts (see TMP_DIR, GO_VERSION, wget and sudo tar usage) without verifying
integrity; change each install block (Go, yq, lsd and any dpkg installs) to
fetch the official checksum or signature file from the vendor, verify the
downloaded archive using sha256sum (or gpg/openssl signature verification for
signed releases), fail and exit if the verification fails, and only then proceed
to extract or install (tar, dpkg, mv); ensure verification uses the
vendor-provided URL and that TMP_DIR cleanup still runs on both success and
failure.

---

Nitpick comments:
In `@tools/os_installers/apt.sh`:
- Around line 208-212: The temp-dir created by TMP_DIR=$(mktemp -d) is not
guaranteed to be removed if any command fails; wrap the Go download/install
sequence (the TMP_DIR creation, wget, tar extraction, and final rm -rf) in a
short-lived block/subshell that sets a trap on EXIT to remove "$TMP_DIR" (and
clears the trap on success) so cleanup runs on both success and failure; apply
the same pattern to the yq and lsd blocks (their mktemp/TMP_DIR, wget/curl and
unpack/remove sequences) and reference the same symbols (TMP_DIR, mktemp,
wget/curl, tar, rm -rf, and the EXIT trap) when implementing the fix.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e4ef4ebd-d8ab-4038-9393-0399d78ac8f3

📥 Commits

Reviewing files that changed from the base of the PR and between cb5949a and 5549ce1.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Correct the date and heading format so docs lint passes.

This entry is dated 2025-03-07, but the PR was opened on March 7, 2026. The same block also hits MD041/MD022/MD013, so the docs lint job will stay red until the heading is promoted to H1, blank lines are added, and the prose is wrapped.

Proposed fix

-## 2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]
-**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and current working directory downloads during package installation in `tools/os_installers/apt.sh`.
-**Learning:** Using predictable paths like `/tmp/filename` allows local privilege escalation and symlink attacks. Downloading directly to the current working directory is untidy and may leave artifacts behind or conflict with existing files.
-**Prevention:** Always use securely generated temporary directories like `mktemp -d` to handle downloads and intermediate files during scripts.
+# 2026-03-07 - Fix insecure temporary file usage in OS installers
+
+**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and
+current-working-directory downloads during package installation in
+`tools/os_installers/apt.sh`.
+
+**Learning:** Using predictable paths like `/tmp/filename` allows local
+privilege escalation and symlink attacks. Downloading directly to the current
+working directory is untidy and may leave artifacts behind or conflict with
+existing files.
+
+**Prevention:** Always use securely generated temporary directories like
+`mktemp -d` to handle downloads and intermediate files during scripts.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]
	**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and current working directory downloads during package installation in `tools/os_installers/apt.sh`.
	**Learning:** Using predictable paths like `/tmp/filename` allows local privilege escalation and symlink attacks. Downloading directly to the current working directory is untidy and may leave artifacts behind or conflict with existing files.
	**Prevention:** Always use securely generated temporary directories like `mktemp -d` to handle downloads and intermediate files during scripts.
	# 2026-03-07 - Fix insecure temporary file usage in OS installers
	**Vulnerability:** Predictable temporary file locations (`/tmp/yq`) and
	current-working-directory downloads during package installation in
	`tools/os_installers/apt.sh`.
	**Learning:** Using predictable paths like `/tmp/filename` allows local
	privilege escalation and symlink attacks. Downloading directly to the current
	working directory is untidy and may leave artifacts behind or conflict with
	existing files.
	**Prevention:** Always use securely generated temporary directories like
	`mktemp -d` to handle downloads and intermediate files during scripts.

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 143] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 241] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 2-2: Line length
.jules/sentinel.md:2:81 MD013/line-length Line length [Expected: 80; Actual: 168] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2025-03-07 - [Fix Insecure ..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Update the dated entry header
"2025-03-07 - [Fix Insecure Temporary File Usage in OS Installers]" to the
correct PR date (2026-03-07), promote that heading to H1 (prepend a single "#
"), ensure there is a blank line above and below the heading, and reflow the
prose paragraphs in that block so lines are wrapped to the repo's preferred
width (fixing MD013) and satisfy MD022/MD041 heading-level and blank-line rules.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Verify release artifacts before installing them.

These blocks still unpack or install vendor binaries directly from the network. If an upstream release asset is tampered with, this script will promote attacker-controlled content into privileged locations. Please verify the official checksum or signature for Go, yq, and lsd before tar, mv, or dpkg.

Also applies to: 235-239, 246-249

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 208 - 212, The script currently
downloads and unpacks remote release artifacts (see TMP_DIR, GO_VERSION, wget
and sudo tar usage) without verifying integrity; change each install block (Go,
yq, lsd and any dpkg installs) to fetch the official checksum or signature file
from the vendor, verify the downloaded archive using sha256sum (or gpg/openssl
signature verification for signed releases), fail and exit if the verification
fails, and only then proceed to extract or install (tar, dpkg, mv); ensure
verification uses the vendor-provided URL and that TMP_DIR cleanup still runs on
both success and failure.