fix(security): Add integrity verification before chmod +x in btrace-perfetto skill (#5297)

fix-it-felix-sentry[bot] · claude · romtsn · web-flow · commit 0220a5c65e64 · 2026-04-20T20:01:30.000+02:00
* fix(security): Add integrity verification before chmod +x in btrace-perfetto skill Add validation to verify downloaded trace_processor file is a valid executable before making it executable. This prevents potential execution of malicious or corrupted downloads. Changes: - Verify file exists and has non-zero size - Check file type to confirm it's an executable - Remove file and exit with error if validation fails - Only chmod +x after successful verification Fixes: https://linear.app/getsentry/issue/EME-1060 Parent ticket: https://linear.app/getsentry/issue/VULN-1513 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix(security): Verify magic bytes instead of file(1) for trace_processor The previous check ran `file /tmp/trace_processor | grep -q executable` after downloading the Perfetto trace_processor wrapper. That is unreliable in both directions: - get.perfetto.dev currently serves a Python wrapper script (#!/usr/bin/env python3). Depending on the file(1) version and magic database, shebang scripts may be reported as "Python script, ASCII text" without the word "executable", failing the check. - If Perfetto ever switches to native PIE ELF binaries, older file(1) versions (< 5.36) report them as "shared object" without "executable", also failing. In both cases the valid download was deleted and the workflow aborted. Check magic bytes directly instead — shebang (#!), ELF, or Mach-O — which is stable across platforms and file(1) versions. Also add `curl --fail` so HTTP errors do not leave a partial/HTML response on disk that would then be validated. Refs LINEAR-EME-1060 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Roman Zavarnitsyn <rom4ek93@gmail.com>
diff --git a/.claude/skills/btrace-perfetto/SKILL.md b/.claude/skills/btrace-perfetto/SKILL.md
@@ -22,7 +22,26 @@ Before starting, verify:
    ```
 3. **Perfetto trace_processor**: Check if `/tmp/trace_processor` exists. If not, download it:
    ```bash
-   curl -sL "https://get.perfetto.dev/trace_processor" -o /tmp/trace_processor && chmod +x /tmp/trace_processor
+   # Download trace_processor (--fail ensures HTTP errors don't leave a file behind)
+   curl -sSL --fail "https://get.perfetto.dev/trace_processor" -o /tmp/trace_processor
+
+   # Verify magic bytes directly — file(1) output is too inconsistent across
+   # versions/platforms to rely on for scripts or PIE binaries.
+   magic=$(head -c 4 /tmp/trace_processor 2>/dev/null | od -An -vtx1 -N4 | tr -d ' \n')
+   case "$magic" in
+     2321*)                               ;; # #! shebang (script)
+     7f454c46)                            ;; # ELF (Linux)
+     cffaedfe|cefaedfe|feedfacf|feedface) ;; # Mach-O (macOS)
+     cafebabe)                            ;; # Mach-O universal
+     *)
+       echo "Error: Downloaded file is not a valid script or executable (magic: ${magic:-empty})"
+       rm -f /tmp/trace_processor
+       exit 1
+       ;;
+   esac
+
+   # Make executable only after verification
+   chmod +x /tmp/trace_processor
    ```
 4. **Device ABI**: Run `adb shell getprop ro.product.cpu.abi` — btrace only supports arm64-v8a and armeabi-v7a (no x86/x86_64)
 
