From 5fdbbe61dd034be76d4b22cf3bd68b560672a7fd Mon Sep 17 00:00:00 2001
From: B <6723574+louisgv@users.noreply.github.com>
Date: Thu, 26 Mar 2026 04:13:14 +0000
Subject: [PATCH] fix(security): add defensive validation to tmpdir cleanup in
 install.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a non-empty check after mktemp and guards the EXIT trap so rm -rf
only fires when tmpdir is non-empty and still a directory. This is a
defense-in-depth hardening — the current code is safe due to set -e,
but explicit validation is best practice for rm -rf operations.

Fixes #2998

Agent: code-health
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 sh/cli/install.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sh/cli/install.sh b/sh/cli/install.sh
index dc1488c1..323a6ce0 100755
--- a/sh/cli/install.sh
+++ b/sh/cli/install.sh
@@ -269,7 +269,8 @@ ensure_in_path() {
 # --- Helper: build and install the CLI using bun ---
 build_and_install() {
     tmpdir=$(mktemp -d)
-    trap 'rm -rf "${tmpdir}"' EXIT
+    [ -n "$tmpdir" ] || { log_error "mktemp failed to produce a directory path"; exit 1; }
+    trap '[ -n "${tmpdir}" ] && [ -d "${tmpdir}" ] && rm -rf "${tmpdir}"' EXIT
 
     log_step "Downloading pre-built CLI binary..."
     curl -fsSL --proto '=https' "https://github.com/${SPAWN_REPO}/releases/download/cli-latest/cli.js" -o "${tmpdir}/cli.js"