I knew this kind of thing was possible but it’s neat to see it so concretely.
Here’s an even sneakier attack that detects if you’re piping to bash and sends different content. You really need to copy to a file and then check the file for evilness…
Most of the time when we see a code snippet online to do something, we often blindly copy paste it to the terminal.
Um. No. “We” most certainly do not, and it’s hard to feel too bad for people who do…
Most people would. The average at lobsters might better, but I’m sure the majority still do.
^[ v " + p
Shell zsh with config:
zle -N edit-command-line
bindkey '^[v' edit-command-line
That lets you open the current shell command-line in a text-editor. Very nice for bulk search/replace etc. Almost tempted to also bind it to a function key, but it’s finger memory right now. And then once you’re in a text-editor on a local machine with access to the clipboard, use the editor’s integration to yank text in for direct unformatted pasting. With vim, "+p because the + register accesses the clipboard (read-write access).
Once you learn how to do this quickly, it becomes second nature to bring in command invocations for review, bug-fixing and writing copies out to your logbooks of admin actions taken.
[edit: I went ahead and bound edit-command-line to F1 and .. I may get used to this very quickly]
In Safari, the larger code block briefly highlights before disappearing, providing a clue that something hinky is going on.
I was given this link on Hacker News in reply to “GPG Cheat Sheet” site on a GPG discussion. The man page was horrifically complicated. I got a cheat sheet, checked the commands against man page, saw they worked, and then just handed it to new users. Regardless of whether I vetted it, it at least looked like it was the right commands without any weird options. So, they gave me this link to show I was foolish for running commands from a third party.
I asked them whether they vetted all the source in the applications they ran, the kernel, firmware, etc. Especially anything with privileges that could read or alter their filesystem. Same people were fine with that having all kinds of justifications that don’t stop subversion. Running terminal commands from seemingly-trustworthy sources online is a no-no, though. It was amusing.
Can the destination app/terminal check which application is the source? Hypothetically you could restrict copy sources to termincal itself and, simple text editors, and show a message, please check this in an editor first. Alternatively the terminal itself could show a text field whenever it detects paste and the user has to copy paste again, the real copy paste would only happen when source pid == self pid.