🛡️ Sentinel: [CRITICAL] Fix symlink attack vulnerability in burnrate

[himattm]

🚨 Severity: CRITICAL
💡 Vulnerability: Predictable temporary filenames used before renaming in shared directories (like /tmp) expose the application to local symlink attacks. An attacker can pre-create the predictable .tmp file as a symlink, allowing local file overwrite.
🎯 Impact: An attacker could potentially overwrite critical system or user files with the burnrate json data.
🔧 Fix: Utilized os.CreateTemp to securely generate an unpredictable temporary file in the target directory (filepath.Dir(path)) instead of using path + ".tmp". Also ensured the permissions are explicitly set to match original behavior (0644).
✅ Verification: The modification was verified through code review and by successfully passing the test suite (go test ./...) which showed no regressions.

---

PR created automatically by Jules for task 5105896159643456558 started by @himattm

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Code Review

This pull request addresses a security vulnerability by replacing predictable temporary file creation with os.CreateTemp in internal/burnrate/burnrate.go and adding documentation to the sentinel log. Feedback suggests improving the implementation's robustness by using defer for file closure to prevent resource leaks and incorporating tmpFile.Sync() to ensure data durability before the file is renamed.

[gemini-code-assist]

While the use of os.CreateTemp correctly addresses the symlink vulnerability, the implementation can be made more robust and durable by following standard Go idioms for file operations:

1. Resource Management: Using defer tmpFile.Close() ensures the file descriptor is always closed, preventing leaks in case of panics or future code changes that add early returns.
2. Data Durability: Adding tmpFile.Sync() before closing ensures that data is flushed to stable storage. This prevents data loss or corruption if the system crashes after the rename but before the OS flushes its buffers.
3. Simplification: Using defer allows removing redundant manual Close() calls in error paths, making the code cleaner and less error-prone.

	tmpFile, err := os.CreateTemp(filepath.Dir(path), "prism-burn-tmp-*")
	if err != nil {
		return nil, false, err
	}
	tmpPath := tmpFile.Name()

	defer os.Remove(tmpPath)
	defer tmpFile.Close()

	if _, err := tmpFile.Write(data); err != nil {
		return nil, false, err
	}
	if err := tmpFile.Sync(); err != nil {
		return nil, false, err
	}
	if err := tmpFile.Chmod(0644); err != nil {
		return nil, false, err
	}
	if err := tmpFile.Close(); err != nil {
		return nil, false, err
	}

[himattm]

Closing as superseded by direct commit 42f3149 on main, which consolidated the burnrate/sparkline predictable-temp-file fixes and also preserved PR #82's updater temp-file hardening without the generated .jules note.

[google-labs-jules]

Closing as superseded by direct commit 42f3149 on main, which consolidated the burnrate/sparkline predictable-temp-file fixes and also preserved PR #82's updater temp-file hardening without the generated .jules note.

Understood. Acknowledging that this work is now obsolete and stopping work on this task.