## GitHub Security Alert: HIGH-Severity TOCTOU Race Condition in e2e.sh Script Exposes Arbitrary File Deletion Risk A high-severity security vulnerability has been flagged in a critical shell script, exposing a classic but dangerous race condition that could lead to arbitrary file deletion. The flaw, a Time-of-Check/Time-of-Use (TOCTOU) bug, resides in the `/root/spawn/sh/e2e/e2e.sh` script, specifically within its LOG_DIR cleanup logic. The script's validation process is fundamentally broken: it resolves a path to a canonical location, checks the ownership of that resolved path, but then uses the same resolved variable for a destructive `rm -rf` operation. This sequence creates a narrow but exploitable window where an attacker could swap the target of a symbolic link after the ownership check but before the deletion command executes, completely bypassing the intended security validation. The vulnerable code block spans lines 705-715. The script first calls `realpath` to resolve the `LOG_DIR` variable. It then performs an ownership test using `[ ! -O "${resolved_log_dir}" ]`. If this check passes, the script assumes the path is safe and proceeds to a case statement that matches the path against a safe pattern (`"${SAFE_TMP_ROOT}/spawn-e2e.*"`). The subsequent `rm -rf "${resolved_log_dir}"` command on line 716 is the point of failure. Because the script operates on the *variable* `$resolved_log_dir` and not a re-evaluated path, any change to the underlying filesystem after the `realpath` call is ignored, rendering the earlier validation useless. The impact is direct: an attacker with the ability to manipulate symbolic links in the targeted directory could trick the script into deleting files and directories outside the intended, safe temporary area. This could lead to data loss, service disruption, or facilitate further system compromise. The security scanner's recommendation is to refactor the logic, potentially by performing the ownership check on the original, unresolved path before resolving it, or by avoiding symlink resolution altogether with more robust directory validation techniques to close the race condition window entirely. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, vulnerability, shell_script, TOCTOU, race_condition - **Credibility**: unverified - **Published**: 2026-04-08 05:27:00 - **ID**: 54365 - **URL**: https://whisperx.ai/en/intel/54365