🛡️ Sentinel: [HIGH] Fix insecure temporary download paths in apt.sh

[kidchenko]

🚨 Severity: HIGH
💡 Vulnerability: The tools/os_installers/apt.sh script was downloading executable artifacts to predictable temporary paths like /tmp/yq or directly to the current working directory. This pattern is vulnerable to Time-of-Check to Time-of-Use (TOCTOU) and symlink attacks. If an attacker pre-creates a symlink at /tmp/yq pointing to a sensitive file, the script (running with sudo) could inadvertently overwrite it or allow local privilege escalation.
🎯 Impact: Local attackers could potentially escalate privileges or overwrite critical system files by exploiting the predictable download paths when the installation script is executed.
🔧 Fix: Wrapped the go, yq, and lsd installation blocks in subshells (...). Within each subshell, a secure temporary directory is created using TMP_DIR=$(mktemp -d), and a local trap (trap 'rm -rf "$TMP_DIR"' EXIT) ensures cleanup. The wget commands were updated to download specifically into this isolated directory.
✅ Verification: Ensure the scripts pass shellcheck (via ./build.sh lint) and that running the modified installation blocks does not leave artifacts in /tmp or the current directory.

---

PR created automatically by Jules for task 10068104001288958326 started by @kidchenko

Summary by CodeRabbit

• Documentation

  • Added security journal entry documenting temporary file handling patterns for shell scripts

• Chores

  • Updated package installer to use dynamically-created temporary directories for artifact downloads and processing

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

These changes implement secure temporary directory handling in shell scripts to mitigate TOCTOU and symlink attacks. A new security documentation file explains the vulnerability pattern and prevention approach, while the apt.sh installer is updated to use mktemp -d with automatic trap-based cleanup instead of predictable paths.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	Added security journal entry documenting shell script artifact download vulnerabilities (TOCTOU, symlink attacks) and prevention pattern using mktemp -d with trap cleanup.
Installer Security Hardening tools/os_installers/apt.sh	Updated Go, yq, and lsd installers to use per-installation temporary directories created via mktemp -d with automatic EXIT trap cleanup, replacing hardcoded output paths in the current directory and /tmp.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A rabbit hops through tempfiles true,
No /tmp shortcuts, nothing new—
With mktemp -d and traps so neat,
Our burrows stay secure and sweet! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: fixing insecure temporary download paths in apt.sh, which is the core focus of the PR addressing a HIGH-severity vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/fix-insecure-tmp-paths-10068104001288958326

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/os_installers/apt.sh`:
- Around line 211-213: The install steps download Go and yq into TMP_DIR using
wget and then run privileged installs (tar into /usr/local and dpkg -i for
yq/lsd); modify the sequence in the functions or script block that uses
GO_VERSION, TMP_DIR and the yq download lines to first fetch the corresponding
checksum/signature artifact (Go .sha256 or go<version>.linux-amd64.tar.gz.sha256
and yq's checksums/signature), verify the downloaded file with sha256sum -c (or
cosign verify-blob if a signature is available) and only proceed to sudo tar -C
/usr/local -xzf "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz" or sudo dpkg -i
for yq/lsd when verification succeeds; for lsd note that no official checksum
may exist so either skip privileged install until integrity method is available
or validate via GitHub release provenance before invoking sudo dpkg -i.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b7585a8c-76ba-4c26-a66d-5affa9217164

📥 Commits

Reviewing files that changed from the base of the PR and between eb5ca40 and c3703cf.

📒 Files selected for processing (2)

• .jules/sentinel.md
• tools/os_installers/apt.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What are the official checksum/signature verification instructions for: Go 1.23.4 linux-amd64 tarball, mikefarah/yq v4.44.6 yq_linux_amd64, and lsd-rs/lsd v1.1.5 amd64.deb?

💡 Result:

Go 1.23.4 linux-amd64 tarball: No evidence found of Go 1.23.4 release as of 2026-04-16; current stable versions are around 1.26.x per https://go.dev/dl/. Check https://go.dev/dl/ for SHA256 checksum listed in table for go1.23.4.linux-amd64.tar.gz if released, or download go1.23.4.linux-amd64.tar.gz.sha256 from storage.googleapis.com/golang/. mikefarah/yq v4.44.6 yq_linux_amd64: Download from https://github.com/mikefarah/yq/releases/tag/v4.44.6. Download 'checksums' and 'checksums_hashes_order' files. Use extract-checksum.sh script: ./extract-checksum.sh SHA-256 yq_linux_amd64 | sha256sum -c. For signature (recent releases): cosign verify-blob --bundle checksums.bundle checksums (install cosign first). lsd-rs/lsd v1.1.5 amd64.deb: Download lsd_1.1.5_amd64.deb from https://github.com/lsd-rs/lsd/releases/tag/v1.1.5. No official checksums or signatures provided in release assets or docs; verify via GitHub release integrity or compute your own SHA256.

Citations:

• 1: https://go.dev/dl/
• 2: Provide download for checksum of go releases.  golang/go#68282
• 3: https://tip.golang.org/dl/
• 4: https://go.dev/doc/install
• 5: https://github.com/mikefarah/yq/releases
• 6: https://github.com/mikefarah/yq/blob/master/scripts/extract-checksum.sh
• 7: mikefarah/yq@c8f6c1a
• 8: https://github.com/lsd-rs/lsd/releases/tag/v1.1.5
• 9: https://github.com/mikefarah/yq/releases/tag/v4.44.6

---

🏁 Script executed:

sed -n '205,260p' tools/os_installers/apt.sh

Repository: kidchenko/dotfiles

Length of output: 2070

---

Add artifact integrity verification before privileged install steps for Go and yq.

Downloads are installed via sudo without checksum/signature verification. A compromised release artifact would be executed as root.

Go 1.23.4 and yq v4.44.6 have official checksums available and should be verified before installation:

• Go: SHA256 checksum available at https://go.dev/dl/ or download go1.23.4.linux-amd64.tar.gz.sha256
• yq: Checksums available in GitHub release assets; use the provided checksums file with sha256sum -c or cosign verify-blob for signature verification

🔐 Suggested hardening pattern (Go example)

 (
     TMP_DIR=$(mktemp -d)
     trap 'rm -rf "$TMP_DIR"' EXIT
     GO_VERSION="1.23.4"
+    GO_SHA256="<official_sha256_from_go.dev>"
     wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -O "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
+    echo "${GO_SHA256}  $TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz" | sha256sum -c -
     sudo rm -rf /usr/local/go
     sudo tar -C /usr/local -xzf "$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz"
 )

Apply similar verification to yq release assets.

Note: lsd v1.1.5 does not provide official checksums or signatures in release assets. Consider verifying via GitHub release integrity or evaluating if signature verification is available elsewhere before sudo dpkg -i.

Also applies to lines 240-242 (yq), 253-254 (lsd).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/os_installers/apt.sh` around lines 211 - 213, The install steps
download Go and yq into TMP_DIR using wget and then run privileged installs (tar
into /usr/local and dpkg -i for yq/lsd); modify the sequence in the functions or
script block that uses GO_VERSION, TMP_DIR and the yq download lines to first
fetch the corresponding checksum/signature artifact (Go .sha256 or
go<version>.linux-amd64.tar.gz.sha256 and yq's checksums/signature), verify the
downloaded file with sha256sum -c (or cosign verify-blob if a signature is
available) and only proceed to sudo tar -C /usr/local -xzf
"$TMP_DIR/go${GO_VERSION}.linux-amd64.tar.gz" or sudo dpkg -i for yq/lsd when
verification succeeds; for lsd note that no official checksum may exist so
either skip privileged install until integrity method is available or validate
via GitHub release provenance before invoking sudo dpkg -i.