Everyone pastes into their terminal, but you do have to be pretty naive to ever paste something blindly into your terminal (full depth of understanding of each mechanics isn't a requirement but basic understanding of high-level obvious components of the line being pasted should absolutely be).
There is literally no way to secure against people being hacked if the scenario is a user blindly following instructions without looking at / thinking about them.
(reply to sibling comment from unixbane which is [dead] for some reason:)
> tell me the specific way you check your stuff before pasting so I can tell you how it's either broken or you're the 0.001% user and nobody else does that.
I'm no 0.001% user, I'm not a shell expert and I can't catch everything but in the context of this particular post:
- I know how string quoting in programming languages broadly works (no need to know if ' or " escapes or not - just know that if there's any quotes inside the string it deserves a closer look)
- I know that $ in bash (& some other languages) precedes something dynamic (maybe variable substitution, maybe inline code, no need to know about stuff in any detail, just enough to be suspicious)
- I know pipe chars in shells generally separate commands (no need to understand io redirection in any detail here)
- I know that URLs tend to follow boring conventions - if it's not domain/alphanum/alphanum?alphanum=etc then it's suspect and needs further attention (URLs can contain many weird chars but normal ones tend not to).
The above bullets are pretty basic imo - you don't need to be a bash wizard to grok that much. If you know these, you'd never run the one-liner shown in the OP.
Extra:
- if it's a one-liner crossing scroll boundaries, that's too long (excepting very long URLs maybe if they're super-simple)
As a counter-example, here's the type of stuff most people copypaste into shells all the time:
curl http://example.com/simple/path | bash
That's interesting here for two reasons:
1. as an inline threat, it's clearly harmless - the URL has no unusual special chars or $ and the command is very short - it can be read & grokked at a glance.
2. as a general threat, this is very dangerous because (a) it's unencryped/MITM-able and (b) you may or may not trust the hosted script being downloaded and eval-ed on your machine.
My overall point here is: there's plenty of valid & dangerous social engineering threats in your terminal; plainly obvious inline quoting problems ain't it.
Usually its https nowadays but other than that there's methods a hostile webserver can detect whether the content is piped or not (IIRC I/O speed). It can decide to inject different commands based on whether it is piped or not. So you need to end up writing to a file with redirect or tee. Or by using a hash of the script. We do that with binaries, why not with scripts? If its complex enough, a shell script should be considered source code.
Please tell me the specific way you check your stuff before pasting so I can tell you how it's either broken or you're the 0.001% user and nobody else does that. I've always just pasted into a text editor and recopied it from there (and even that may not be safe). On one hand, UN*X is not meant to have paste so you should just never use it. On the other hand, if you're using webshit you have to copy from it because there's no UN*X way to get at the data as the page has to be accessed in a proprietary way. On the other hand, I could just use a real OS that doesn't have deep reaching problems in the most basic things
and even worse: if you find a snippey of code online, once you read it carefully and you understand that it is safe to run - you might be lazy enough to copy it from the browser and paste it in the terminal. And it can be altered with JS before you copy it so you paste something different from what you have inspected. Of course you can use a buffer (say, a text editor) or even re-type that snippet yourself - but are you sure you'll never forget to do that?
> the copy-replace trick is harder to do if you use native copy (keyboard or mouse menu) & avoid "Copy" icons pages provide
Pretty sure that's not true. CSS allows you to choose both what's visible to the user, and also what's included in copy/paste. There's _some_ limitations on that, but it's flexible enough to have a lot of room to be extremely scary.
You can also have a lot of fun with fonts, something that looks like "cp a b" could actually, in text, be "rm a b"
You can do it via CSS trickery, or you can even do keyboard/mouse event detection and swap out via window.getSelection(), but both are much more involved & less reliable than via a button.
There is literally no way to secure against people being hacked if the scenario is a user blindly following instructions without looking at / thinking about them.