Comment by lyu07282
2 years ago
> Using curl is surprisingly secure
one thing to remember is that you can make a server respond one thing when a user does "curl <url>" and another thing when the users does "curl <url> | sh":
https://lukespademan.com/blog/the-dangers-of-curlbash/
another thing to know is that github.com/<org>/<proj>/[...somethings...] isn't necessarily controlled by <org>:
https://vulcan.io/blog/github-comment-malware-what-you-need-...
Also, if entropy decides you are unworthy and the download dies after reading "rm -Rf /" instead of the full line "rm -Rf /tmp/setup" then you're going to have a bad time on any Linux that doesn't have preserve-root by default. Of course such deleterious incomplete command execution could take many forms.
This is trivially prevented by wrapping the body in a function that is executed only on the last line of the script. I don't think I've seen a "curl | sh" script in the wild that wasn't written that way.
Yes but you could do something equivalent with a binary you download or some remote repository like a brew keg too. At the end of the day you need to decide whether you trust who you’re downloading from or not and ‘curl … | sh’ isn’t practically worse in any way I can think of.