Skip to content

🛡️ Sentinel: [HIGH] Fix predictable temporary file name vulnerabilities in atomic saves#70

Closed
himattm wants to merge 1 commit intomainfrom
sentinel/fix-atomic-write-symlink-vuln-6231110558570238571
Closed

🛡️ Sentinel: [HIGH] Fix predictable temporary file name vulnerabilities in atomic saves#70
himattm wants to merge 1 commit intomainfrom
sentinel/fix-atomic-write-symlink-vuln-6231110558570238571

Conversation

@himattm
Copy link
Copy Markdown
Owner

@himattm himattm commented Apr 27, 2026

🚨 Severity: HIGH
💡 Vulnerability: Predictable temporary file names were being used (path + ".tmp") during atomic file saves in internal/burnrate/burnrate.go and internal/sparkline/sparkline.go. This makes the application susceptible to symlink attacks, enabling malicious actors to perform unintended file overwrites if the application works with caching paths under globally writable directories (like /tmp).
🎯 Impact: A local attacker could exploit the predictability of .tmp to establish symlinks pointing to sensitive files on the system, which the application would then overwrite while completing its write operations.
🔧 Fix: Replaced the custom appending logic with Go's os.CreateTemp targeting the directory of the original file path. This ensures randomly generated, collision-free temporary filenames, mitigating symlink vulnerabilities while preserving atomic rename semantics. Proper file permissions (0644) were set matching the original requirements.
Verification:

  1. Build application: go build ./...
  2. Run tests to ensure no functionality breakage: go test ./...
  3. Check internal/burnrate/burnrate.go and internal/sparkline/sparkline.go changes for safety validations.

PR created automatically by Jules for task 6231110558570238571 started by @himattm

@google-labs-jules @himattm
🛡️ Sentinel: [HIGH] Fix predictable temporary file name vulnerabiliti…
0227a75 
…es in atomic saves

Co-authored-by: himattm <6266621+himattm@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented Apr 27, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses a symlink vulnerability by replacing predictable temporary file names with random ones using os.CreateTemp during atomic save operations in internal/burnrate and internal/sparkline. The feedback recommends enhancing these operations by adding f.Sync() for data durability and delaying the f.Chmod call until after writing to ensure the file remains private (0600) during the write process.

Comment thread internal/burnrate/burnrate.go
Comment on lines +73 to 83
if err := f.Chmod(0644); err != nil {
f.Close()
os.Remove(tmpPath)
return nil, false, err
}

if _, err := f.Write(data); err != nil {
f.Close()
os.Remove(tmpPath)
return nil, false, err
}
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To ensure the 'atomic save' is also durable, it is recommended to call f.Sync() before closing the file. This ensures that the data is physically written to disk before the rename operation occurs. Additionally, moving f.Chmod after the write operation keeps the file private (0600) while data is being written, which is a better security practice for temporary files in shared directories like /tmp.

Suggested change
if err := f.Chmod(0644); err != nil {
f.Close()
os.Remove(tmpPath)
return nil, false, err
}
if _, err := f.Write(data); err != nil {
f.Close()
os.Remove(tmpPath)
return nil, false, err
}
if _, err := f.Write(data); err != nil {
f.Close()
os.Remove(tmpPath)
return nil, false, err
}
if err := f.Sync(); err != nil {
f.Close()
os.Remove(tmpPath)
return nil, false, err
}
if err := f.Chmod(0644); err != nil {
f.Close()
os.Remove(tmpPath)
return nil, false, err
}

Comment thread internal/sparkline/sparkline.go
Comment on lines +148 to +158
if err := f.Chmod(0644); err != nil {
f.Close()
os.Remove(tmp)
return
}

if _, err := f.Write(data); err != nil {
f.Close()
os.Remove(tmp)
return
}
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To ensure the 'atomic save' is also durable, it is recommended to call f.Sync() before closing the file. This ensures that the data is physically written to disk before the rename operation occurs. Additionally, moving f.Chmod after the write operation keeps the file private (0600) while data is being written, which is a better security practice for temporary files in shared directories like /tmp.

Suggested change
if err := f.Chmod(0644); err != nil {
f.Close()
os.Remove(tmp)
return
}
if _, err := f.Write(data); err != nil {
f.Close()
os.Remove(tmp)
return
}
if _, err := f.Write(data); err != nil {
f.Close()
os.Remove(tmp)
return
}
if err := f.Sync(); err != nil {
f.Close()
os.Remove(tmp)
return
}
if err := f.Chmod(0644); err != nil {
f.Close()
os.Remove(tmp)
return
}

@himattm
Copy link
Copy Markdown
Owner Author

himattm commented May 7, 2026

Closing as superseded by direct commit 42f3149 on main, which consolidated the burnrate/sparkline predictable-temp-file fixes and also preserved PR #82's updater temp-file hardening without the generated .jules note.

@himattm himattm closed this May 7, 2026
@himattm himattm deleted the sentinel/fix-atomic-write-symlink-vuln-6231110558570238571 branch May 7, 2026 15:35
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented May 7, 2026

Closing as superseded by direct commit 42f3149 on main, which consolidated the burnrate/sparkline predictable-temp-file fixes and also preserved PR #82's updater temp-file hardening without the generated .jules note.

Understood. Acknowledging that this work is now obsolete and stopping work on this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@himattm