MiguelRodo · MiguelRodo · May 15, 2026 · May 15, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -47,3 +47,11 @@
 **Vulnerability:** Path/URL manipulation and injection caused by unvalidated dynamic variables (e.g., dynamically fetching latest version strings via API calls).
 **Learning:** Variables that determine file paths or download URLs, even when fetched from typically trusted external sources (like a GitHub API), must be treated as untrusted input. If an API response is manipulated or unexpected (e.g., changing a version string to `../../../etc/passwd` or embedding shell commands), it can lead to path traversal, arbitrary file writes, or URL redirection vulnerabilities.
 **Prevention:** Always validate dynamically fetched data (like tags or version strings) against strict allow-lists (using POSIX-compliant regex like `^[0-9]+\.[0-9]+\.[0-9]+$`) before interpolating them into paths, URLs, or executing them.
+
+## 2024-05-15 - Unsafe Direct Execution of Remote Script
+
+**Vulnerability:** The devcontainer feature `src/mermaid/install.sh` was directly executing remote bash scripts downloaded via `curl | bash` for NodeSource installation. This exposes the installation process to remote code execution risks if the source is compromised or a Man-in-the-Middle (MitM) attack occurs.
+
+**Learning:** When installing vendor dependencies like Node.js, relying on mutable remote setup scripts via `curl | bash` is inherently insecure and brittle. Even attempting to secure it by hardcoding hashes is an anti-pattern because the upstream provider frequently updates the script, causing the installation to break.
+
+**Prevention:** Replaced `curl <url> | bash -` patterns with native package manager configuration. By directly downloading the vendor's GPG key and configuring the package manager repositories (e.g., via `/etc/apt/sources.list.d/nodesource.sources` for Debian/Ubuntu or `/etc/yum.repos.d/nodesource.repo` for RHEL/CentOS), we eliminate the execution of arbitrary remote shell scripts entirely while remaining robust to upstream script changes.
diff --git a/src/mermaid/install.sh b/src/mermaid/install.sh
@@ -152,31 +152,38 @@ install_nodejs() {
     fi
 
     echo "[INFO] Installing Node.js ${NODE_VERSION}..."
+    local node_major="${NODE_VERSION}"
+    if [ "$node_major" = "lts" ]; then node_major="20"; fi
+
     case "$OS_ID" in
         ubuntu|debian)
-            if [ "${NODE_VERSION}" = "lts" ]; then
-                 curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
-            else
-                 curl -fsSL "https://deb.nodesource.com/setup_${NODE_VERSION}.x" | bash -
-            fi
-            # NodeSource nodejs bundles npm; installing Ubuntu's npm package conflicts
+            curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg
+            cat <<EOF > /etc/apt/sources.list.d/nodesource.sources
+Types: deb
+URIs: https://deb.nodesource.com/node_${node_major}.x
+Suites: nodistro
+Components: main
+Signed-By: /usr/share/keyrings/nodesource.gpg
+EOF
+            apt-get update -y
             apt-get install -y nodejs
             ;;
         fedora)
-            if [ "${NODE_VERSION}" = "lts" ]; then
-                dnf install -y nodejs npm
-            else
-                dnf module reset -y nodejs || true
-                dnf module enable -y "nodejs:${NODE_VERSION}" || dnf install -y nodejs
-                dnf install -y nodejs npm
-            fi
+            dnf module reset -y nodejs || true
+            dnf module enable -y "nodejs:${node_major}" || dnf install -y nodejs
+            dnf install -y nodejs npm
             ;;
         centos|rhel|rocky|almalinux)
-            if [ "${NODE_VERSION}" = "lts" ]; then
-                curl -fsSL https://rpm.nodesource.com/setup_lts.x | bash -
-            else
-                curl -fsSL "https://rpm.nodesource.com/setup_${NODE_VERSION}.x" | bash -
-            fi
+            cat <<EOF > /etc/yum.repos.d/nodesource.repo
+[nodesource-nodejs]
+name=Node.js Packages for Linux RPM based distros - \$basearch
+baseurl=https://rpm.nodesource.com/pub_${node_major}.x/nodistro/nodejs/\$basearch
+priority=9
+enabled=1
+gpgcheck=1
+gpgkey=https://rpm.nodesource.com/gpgkey/ns-operations-public.key
+module_hotfixes=1
+EOF
             yum install -y nodejs npm
             ;;
         alpine)

diff --git a/test_script.sh b/test_script.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+bash -n src/mermaid/install.sh
+echo "Syntax check passed"