🛡️ Sentinel: [MEDIUM] Secure backup file permissions and fix argument injection

[kidchenko]

🛡️ Sentinel: [MEDIUM] Secure backup file permissions and fix argument injection

Severity: MEDIUM

Vulnerability:

1. Insecure Permissions: The backup-projects.sh script created backup directories and zip files with default umask permissions (likely 755/644). This allowed other users on the system to read sensitive source code backups.
2. Argument Injection: The script constructed zip exclude arguments as a space-separated string, which would break if exclude patterns contained spaces (e.g., "test data").

Fix:

1. Strict Permissions: Enforced 0700 permissions on the backup directory and 0700 on the log directory.
2. Secure File Creation: Used umask 077 in a subshell when running zip to ensure the created archive file has 0600 permissions (read/write only by owner).
3. Robust Argument Handling: Refactored the script to use a Bash array ("${exclude_args[@]}") for passing exclude patterns to zip, preventing argument splitting issues.

Verification:

• Ran tools/backup-projects.sh --dry-run to verify logic.
• Ran ./build.sh syntax and ./build.sh lint to verify script validity.
• Created a test script that verified:
  • Backup directory is created with 700 permissions.
  • Backup zip file is created with 600 permissions.

---

PR created automatically by Jules for task 3026935310687047837 started by @kidchenko

Summary by CodeRabbit

• Bug Fixes

  • Strengthened backup security with explicit directory and file permissions (0700).
  • Enhanced shell argument handling to prevent word-splitting and injection issues.
  • Improved backup directory creation with secure permissions in both standard and dry-run modes.

• Documentation

  • Added security advisory documenting temporary file vulnerabilities and preventative best practices.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces security hardening to a backup script and documents the vulnerabilities being addressed. Changes include removing a shell function, inlining exclude patterns, setting explicit directory permissions to 0700, applying umask 077 before archive creation, and using quoted array expansion to prevent argument injection.

Changes

Cohort / File(s)	Summary
Security Advisory .jules/sentinel.md	New documentation detailing two security vulnerabilities: insecure temporary files via default umask, and shell argument injection from unquoted pattern expansions. Includes learning points and prevention strategies.
Backup Script Hardening tools/backup-projects.sh	Removed dedicated function for building exclude arguments; moved logic inline with quoted array expansion. Added explicit 0700 permissions for backup/log directories. Applied umask 077 before archive creation to ensure 0600 file permissions. Enhanced dry-run messaging to reflect permission details.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A bunny hopped through scripts so tight,
With umask set and permissions right,
No more injection in the zip's command array,
The backup whispers "security" every day!
🔐✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: securing backup file permissions (0700/0600) and fixing argument injection via array expansion, which are the core vulnerabilities addressed.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/secure-backup-permissions-3026935310687047837

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.jules/sentinel.md:
- Around line 1-4: Change the heading "2026-02-17 - Insecure Temporary Files &
Shell Argument Injection" from level 2 to a top-level heading (use `#`), add a
blank line immediately after that heading, insert a blank line before the
numbered list so the list is separated from surrounding text, and wrap or break
the long sentences on the list items (lines referencing the backup script and
zip exclude patterns) so no line exceeds 80 characters to satisfy MD041, MD022,
MD032 and MD013; ensure the final markdown preserves the same wording but with
line breaks and blank lines added.

In `@tools/backup-projects.sh`:
- Around line 344-353: Ensure secure directory permissions for BACKUP_TEMP_DIR
and LOG_DIR regardless of prior existence: replace the current conditional
mkdir+chmod logic by (a) creating dirs with secure mode atomically using install
-d -m 700 (or run mkdir -p inside a subshell after setting umask 077) to avoid
parent dirs inheriting umask, and (b) unconditionally run chmod 700 on
BACKUP_TEMP_DIR and LOG_DIR after creation to eliminate any
TOCTOU/inherited-permission gaps; update the blocks that reference
BACKUP_TEMP_DIR and LOG_DIR to implement this change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix markdown lint failures flagged by the pipeline.

The Lint Documentation check reports several failures on this file:

1. Line 1: MD041 — First line should be a top-level heading (#, not ##).
2. Line 1: MD022 — Heading needs a blank line below it.
3. Line 3: MD032 — Lists should be surrounded by blank lines (add a blank line before the numbered list).
4. Lines 3–4: MD013 — Lines exceed the 80-character limit.

Proposed fix

-## 2026-02-17 - Insecure Temporary Files & Shell Argument Injection
-**Vulnerability:**
-1. Backup script created directories and files in default umask (likely 755/644), exposing sensitive source code backups to other users.
-2. Shell script passed exclude patterns as a space-separated string to `zip`, causing incorrect argument parsing if patterns contained spaces (argument injection/logic error).
+# 2026-02-17 - Insecure Temporary Files & Shell Argument Injection
+
+**Vulnerability:**
+
+1. Backup script created directories and files in default umask
+   (likely 755/644), exposing sensitive source code backups to
+   other users.
+2. Shell script passed exclude patterns as a space-separated string
+   to `zip`, causing incorrect argument parsing if patterns contained
+   spaces (argument injection/logic error).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2026-02-17 - Insecure Temporary Files & Shell Argument Injection
	**Vulnerability:**
	1. Backup script created directories and files in default umask (likely 755/644), exposing sensitive source code backups to other users.
	2. Shell script passed exclude patterns as a space-separated string to `zip`, causing incorrect argument parsing if patterns contained spaces (argument injection/logic error).
	# 2026-02-17 - Insecure Temporary Files & Shell Argument Injection
	**Vulnerability:**
	1. Backup script created directories and files in default umask
	(likely 755/644), exposing sensitive source code backups to
	other users.
	2. Shell script passed exclude patterns as a space-separated string
	to `zip`, causing incorrect argument parsing if patterns contained
	spaces (argument injection/logic error).

🧰 Tools

🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 175] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 3-3: Lists should be surrounded by blank lines
.jules/sentinel.md:3 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "1. Backup script created direc..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md032.md

---

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 136] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

---

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-02-17 - Insecure Tempo..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

---

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-02-17 - Insecure Temporary Files & Shell Argument Injection"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Change the heading "2026-02-17 -
Insecure Temporary Files & Shell Argument Injection" from level 2 to a top-level
heading (use `#`), add a blank line immediately after that heading, insert a
blank line before the numbered list so the list is separated from surrounding
text, and wrap or break the long sentences on the list items (lines referencing
the backup script and zip exclude patterns) so no line exceeds 80 characters to
satisfy MD041, MD022, MD032 and MD013; ensure the final markdown preserves the
same wording but with line breaks and blank lines added.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Directory permissions are not enforced when the directory already exists, and mkdir -p creates parent dirs with default umask.

Two concerns:

1. The chmod 700 is only applied when the directory is freshly created. If it already exists with lax permissions (e.g., from a previous run with the old code, or external tampering), the script silently proceeds with insecure permissions.
2. mkdir -p creates intermediate parent directories using the current umask (not 700). There's also a small TOCTOU window between mkdir and chmod.

Consider always enforcing permissions (unconditionally), and using install -d -m 700 as recommended in your own sentinel.md, or setting umask 077 before mkdir -p:

Proposed fix

-        # Ensure directories exist with secure permissions (0700)
-        if [[ ! -d "$BACKUP_TEMP_DIR" ]]; then
-            mkdir -p "$BACKUP_TEMP_DIR"
-            chmod 700 "$BACKUP_TEMP_DIR"
-        fi
-
-        if [[ ! -d "$LOG_DIR" ]]; then
-            mkdir -p "$LOG_DIR"
-            chmod 700 "$LOG_DIR"
-        fi
+        # Ensure directories exist with secure permissions (0700)
+        (
+            umask 077
+            mkdir -p "$BACKUP_TEMP_DIR" "$LOG_DIR"
+        )
+        chmod 700 "$BACKUP_TEMP_DIR" "$LOG_DIR"

The final chmod 700 unconditionally enforces correct permissions even if the directories pre-existed. The umask 077 in the subshell ensures any intermediate directories created by -p are also restrictive.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Ensure directories exist with secure permissions (0700)
	if [[ ! -d "$BACKUP_TEMP_DIR" ]]; then
	mkdir -p "$BACKUP_TEMP_DIR"
	chmod 700 "$BACKUP_TEMP_DIR"
	fi
	if [[ ! -d "$LOG_DIR" ]]; then
	mkdir -p "$LOG_DIR"
	chmod 700 "$LOG_DIR"
	fi
	# Ensure directories exist with secure permissions (0700)
	(
	umask 077
	mkdir -p "$BACKUP_TEMP_DIR" "$LOG_DIR"
	)
	chmod 700 "$BACKUP_TEMP_DIR" "$LOG_DIR"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/backup-projects.sh` around lines 344 - 353, Ensure secure directory
permissions for BACKUP_TEMP_DIR and LOG_DIR regardless of prior existence:
replace the current conditional mkdir+chmod logic by (a) creating dirs with
secure mode atomically using install -d -m 700 (or run mkdir -p inside a
subshell after setting umask 077) to avoid parent dirs inheriting umask, and (b)
unconditionally run chmod 700 on BACKUP_TEMP_DIR and LOG_DIR after creation to
eliminate any TOCTOU/inherited-permission gaps; update the blocks that reference
BACKUP_TEMP_DIR and LOG_DIR to implement this change.