From ef4bf014f2078621a1724e66742b43e5aaa68c71 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 9 Feb 2026 04:52:12 +0000
Subject: [PATCH] fix(security): prevent TOCTOU race condition in SSH key setup

Wrap sensitive file and directory creation in `tools/setup-ssh-keys.sh`
with `umask 077` in a subshell. This ensures that SSH keys and
directories are created with secure permissions (600/700) immediately,
eliminating the window of vulnerability where they might be world-readable
before `chmod` is called.

Also adds Sentinel's journal entry in `.jules/sentinel.md`.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md      | 6 ++++++
 tools/setup-ssh-keys.sh | 9 +++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..693e9eb
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,6 @@
+# Sentinel's Journal
+
+## 2024-05-22 - TOCTOU Race Condition in File Creation
+**Vulnerability:** Found a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in `tools/setup-ssh-keys.sh` where sensitive SSH keys were created with default permissions (potentially world-readable) before being restricted with `chmod`.
+**Learning:** Even with a subsequent `chmod`, there is a small window where a file is accessible to other users on the system if created with default `umask`.
+**Prevention:** Always use `umask 077` in a subshell when creating sensitive files or directories to ensure they are private from the moment of creation.
diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh
index bde52fd..f684e6d 100755
--- a/tools/setup-ssh-keys.sh
+++ b/tools/setup-ssh-keys.sh
@@ -149,11 +149,16 @@ cmd_restore() {
     say "Restoring SSH key from 1Password..."
 
     # Create SSH directory
-    mkdir -p "$SSH_DIR"
+    if [[ ! -d "$SSH_DIR" ]]; then
+        (umask 077 && mkdir -p "$SSH_DIR")
+    fi
     chmod 700 "$SSH_DIR"
 
     # Read private key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    (
+        umask 077
+        op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    )
     chmod 600 "$PRIVATE_KEY_FILE"
 
     # Read public key from 1Password and save locally