1. 5
    A security issue in the curlpipesh method. devops news.ycombinator.com
    rain1 avatar via rain1 2 years ago | cached | 4 comments

  1.  

  2. 5
    rpglover64 avatar rpglover64 2 years ago | link

    It’s something that can bite you, but its not that hard to protect against. For example (taken from sandstorm.io’s script):

    # We wrap the entire script in a big function which we only call at the very end, in order to
# protect against the possibility of the connection dying mid-script. This protects us against
# the problem described in this blog post:
#   http://blog.existentialize.com/dont-pipe-to-your-shell.html
_() {

set -euo pipefail
    1. 2
      roryokane avatar roryokane edited 2 years ago | link

      You can avoid this problem, and some other safety problems, by piping to bash with this short template:

      echo "$(curl -LfsS https://example.com/script.sh)" | bash

      Explanation: echo "$(…)" makes sure the whole file is downloaded before it is passed to the shell. In the curl flags, -L follows redirects. And -fsS suppresses error output on STDOUT (which would be executed by bash) and shows it on STDERR instead.

      1. 1
        twolfson avatar twolfson 2 years ago | link

        Doesn’t it need a terminator (e.g. EOL, semicolon) before executing the command? Or does curl auto-insert an EOF when the connection is dropped?

        1. 3
          Screwtape avatar Screwtape 2 years ago | link

          It executes when it gets to the end of the stream:

          $ printf 'echo hello' | hexdump -C
00000000  65 63 68 6f 20 68 65 6c  6c 6f                    |echo hello|
$ printf 'echo hello' | sh
hello

          As you can see, printf 'echo hello' doesn’t end with a line-break or semi-colon, but sh executes the result just fine.