Skip to content

🛡️ Sentinel: [MEDIUM] Secure backup file permissions and fix argument injection #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kidchenko wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🛡️ Sentinel: [MEDIUM] Secure backup file permissions and fix argument injection #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
## 2026-02-17 - Insecure Temporary Files & Shell Argument Injection

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

First line in a file should be a top-level heading 

.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-02-17 - Insecure Tempo..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

Check failure on line 1 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Headings should be surrounded by blank lines 

.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-02-17 - Insecure Temporary Files & Shell Argument Injection"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md
**Vulnerability:**
1. Backup script created directories and files in default umask (likely 755/644), exposing sensitive source code backups to other users.

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Lists should be surrounded by blank lines 

.jules/sentinel.md:3 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "1. Backup script created direc..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md032.md

Check failure on line 3 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 136] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
2. Shell script passed exclude patterns as a space-separated string to `zip`, causing incorrect argument parsing if patterns contained spaces (argument injection/logic error).

Check failure on line 4 in .jules/sentinel.md

View workflow job for this annotation

GitHub Actions / Lint Documentation

Line length 

.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 175] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md
Comment on lines +1 to +4
Copy link

@coderabbitai coderabbitai bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix markdown lint failures flagged by the pipeline.

The Lint Documentation check reports several failures on this file:

  1. Line 1: MD041 — First line should be a top-level heading (#, not ##).
  2. Line 1: MD022 — Heading needs a blank line below it.
  3. Line 3: MD032 — Lists should be surrounded by blank lines (add a blank line before the numbered list).
  4. Lines 3–4: MD013 — Lines exceed the 80-character limit.
Proposed fix 
-## 2026-02-17 - Insecure Temporary Files & Shell Argument Injection
-**Vulnerability:**
-1. Backup script created directories and files in default umask (likely 755/644), exposing sensitive source code backups to other users.
-2. Shell script passed exclude patterns as a space-separated string to `zip`, causing incorrect argument parsing if patterns contained spaces (argument injection/logic error).
+# 2026-02-17 - Insecure Temporary Files & Shell Argument Injection
+
+**Vulnerability:**
+
+1. Backup script created directories and files in default umask
+   (likely 755/644), exposing sensitive source code backups to
+   other users.
+2. Shell script passed exclude patterns as a space-separated string
+   to `zip`, causing incorrect argument parsing if patterns contained
+   spaces (argument injection/logic error).
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
## 2026-02-17 - Insecure Temporary Files & Shell Argument Injection
**Vulnerability:**
1. Backup script created directories and files in default umask (likely 755/644), exposing sensitive source code backups to other users.
2. Shell script passed exclude patterns as a space-separated string to `zip`, causing incorrect argument parsing if patterns contained spaces (argument injection/logic error).
# 2026-02-17 - Insecure Temporary Files & Shell Argument Injection
**Vulnerability:**
1. Backup script created directories and files in default umask
(likely 755/644), exposing sensitive source code backups to
other users.
2. Shell script passed exclude patterns as a space-separated string
to `zip`, causing incorrect argument parsing if patterns contained
spaces (argument injection/logic error).
🧰 Tools
🪛 GitHub Check: Lint Documentation

[failure] 4-4: Line length
.jules/sentinel.md:4:81 MD013/line-length Line length [Expected: 80; Actual: 175] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 3-3: Lists should be surrounded by blank lines
.jules/sentinel.md:3 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "1. Backup script created direc..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md032.md

[failure] 3-3: Line length
.jules/sentinel.md:3:81 MD013/line-length Line length [Expected: 80; Actual: 136] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md013.md

[failure] 1-1: First line in a file should be a top-level heading
.jules/sentinel.md:1 MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "## 2026-02-17 - Insecure Tempo..."] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md041.md

[failure] 1-1: Headings should be surrounded by blank lines
.jules/sentinel.md:1 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "## 2026-02-17 - Insecure Temporary Files & Shell Argument Injection"] https://github.com/DavidAnson/markdownlint/blob/v0.34.0/doc/md022.md

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.jules/sentinel.md around lines 1 - 4, Change the heading "2026-02-17 -
Insecure Temporary Files & Shell Argument Injection" from level 2 to a top-level
heading (use `#`), add a blank line immediately after that heading, insert a
blank line before the numbered list so the list is separated from surrounding
text, and wrap or break the long sentences on the list items (lines referencing
the backup script and zip exclude patterns) so no line exceeds 80 characters to
satisfy MD041, MD022, MD032 and MD013; ensure the final markdown preserves the
same wording but with line breaks and blank lines added.


**Learning:**
- Always explicitly set directory permissions (`chmod 700`) for sensitive data directories.
- Use `umask 077` in a subshell when creating sensitive files to ensure they are private by default (0600).
- In Bash, always use arrays (`"${arr[@]}"`) for passing lists of arguments to commands to handle spaces correctly. String concatenation is dangerous.

**Prevention:**
- Use `install -d -m 700` or `mkdir` + `chmod 700` for private directories.
- Review all shell scripts for unquoted variable expansions in command arguments.
- Prefer array handling over string manipulation for command arguments.
41 changes: 22 additions & 19 deletions tools/backup-projects.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,15 +232,6 @@ parse_args() {
done
}

# --- Build Exclude Arguments for Zip ---
build_exclude_args() {
local args=()
for pattern in "${EXCLUDE_PATTERNS[@]}"; do
args+=("-x" "*/${pattern}/*" "-x" "*/${pattern}")
done
echo "${args[@]}"
}

# --- Git Sync ---
sync_git_repos() {
say "Syncing git repositories..."
Expand Down Expand Up @@ -350,11 +341,19 @@ cmd_backup() {

# Setup directories
if [[ "$DRY_RUN" != true ]]; then
mkdir -p "$BACKUP_TEMP_DIR"
mkdir -p "$LOG_DIR"
# Ensure directories exist with secure permissions (0700)
if [[ ! -d "$BACKUP_TEMP_DIR" ]]; then
mkdir -p "$BACKUP_TEMP_DIR"
chmod 700 "$BACKUP_TEMP_DIR"
fi

if [[ ! -d "$LOG_DIR" ]]; then
mkdir -p "$LOG_DIR"
chmod 700 "$LOG_DIR"
fi
Comment on lines +344 to +353
Copy link

@coderabbitai coderabbitai bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Directory permissions are not enforced when the directory already exists, and mkdir -p creates parent dirs with default umask.

Two concerns:

  1. The chmod 700 is only applied when the directory is freshly created. If it already exists with lax permissions (e.g., from a previous run with the old code, or external tampering), the script silently proceeds with insecure permissions.
  2. mkdir -p creates intermediate parent directories using the current umask (not 700). There's also a small TOCTOU window between mkdir and chmod.

Consider always enforcing permissions (unconditionally), and using install -d -m 700 as recommended in your own sentinel.md, or setting umask 077 before mkdir -p:

Proposed fix 
-        # Ensure directories exist with secure permissions (0700)
-        if [[ ! -d "$BACKUP_TEMP_DIR" ]]; then
-            mkdir -p "$BACKUP_TEMP_DIR"
-            chmod 700 "$BACKUP_TEMP_DIR"
-        fi
-
-        if [[ ! -d "$LOG_DIR" ]]; then
-            mkdir -p "$LOG_DIR"
-            chmod 700 "$LOG_DIR"
-        fi
+        # Ensure directories exist with secure permissions (0700)
+        (
+            umask 077
+            mkdir -p "$BACKUP_TEMP_DIR" "$LOG_DIR"
+        )
+        chmod 700 "$BACKUP_TEMP_DIR" "$LOG_DIR"

The final chmod 700 unconditionally enforces correct permissions even if the directories pre-existed. The umask 077 in the subshell ensures any intermediate directories created by -p are also restrictive.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Ensure directories exist with secure permissions (0700)
if [[ ! -d "$BACKUP_TEMP_DIR" ]]; then
mkdir -p "$BACKUP_TEMP_DIR"
chmod 700 "$BACKUP_TEMP_DIR"
fi
if [[ ! -d "$LOG_DIR" ]]; then
mkdir -p "$LOG_DIR"
chmod 700 "$LOG_DIR"
fi
# Ensure directories exist with secure permissions (0700)
(
umask 077
mkdir -p "$BACKUP_TEMP_DIR" "$LOG_DIR"
)
chmod 700 "$BACKUP_TEMP_DIR" "$LOG_DIR"
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@tools/backup-projects.sh` around lines 344 - 353, Ensure secure directory
permissions for BACKUP_TEMP_DIR and LOG_DIR regardless of prior existence:
replace the current conditional mkdir+chmod logic by (a) creating dirs with
secure mode atomically using install -d -m 700 (or run mkdir -p inside a
subshell after setting umask 077) to avoid parent dirs inheriting umask, and (b)
unconditionally run chmod 700 on BACKUP_TEMP_DIR and LOG_DIR after creation to
eliminate any TOCTOU/inherited-permission gaps; update the blocks that reference
BACKUP_TEMP_DIR and LOG_DIR to implement this change.

else
debug "Would create: $BACKUP_TEMP_DIR"
debug "Would create: $LOG_DIR"
debug "Would create: $BACKUP_TEMP_DIR (0700)"
debug "Would create: $LOG_DIR (0700)"
fi

# Sync git repositories first
Expand Down Expand Up @@ -406,17 +405,21 @@ cmd_backup() {
done
fi
else
local exclude_args
exclude_args=$(build_exclude_args)
# Build exclude arguments for zip
local exclude_args=()
for pattern in "${EXCLUDE_PATTERNS[@]}"; do
exclude_args+=("-x" "*/${pattern}/*" "-x" "*/${pattern}")
done

(
cd "$HOME" || exit 1
# Set umask to 077 so created files are 0600 (owner read/write only)
umask 077

if [[ "$VERBOSE" == true ]]; then
# shellcheck disable=SC2086
zip -r "$archive_path" "${relative_paths[@]}" $exclude_args
zip -r "$archive_path" "${relative_paths[@]}" "${exclude_args[@]}"
else
# shellcheck disable=SC2086
zip -r -q "$archive_path" "${relative_paths[@]}" $exclude_args
zip -r -q "$archive_path" "${relative_paths[@]}" "${exclude_args[@]}"
fi
)

Expand Down
Loading