[Repulsion9513]

You never want to see raw, attacker-supplied text in a terminal, actually.

[Groxx]

It sure is a good thing we never run anything in our terminals without fully vetting all output.

     curl -s -L https://raw.githubusercontent.com/Groxx/rickrollrc/master/roll.sh | bash

[labster]

You know the rules, and so do I.

[dv_dt]

I know I prefer my exploits to come from opaque corners of package formats or docker layers as bofh intended. The more indirect handoffs of trust the merrier.

[Timber-6539]

Docker is at least sandboxed by default and requires sudo password to run commands.

[dv_dt]

There are advantages to docker, but also disadvantages. Definitely the same w/ "curl | sh" That's all I was trying to allude to, tongue in cheek.

[freeone3000]

But it requires sudo or effective-sudo to run any command, making such a measure worthless

[StableAlkyne]

I can't believe curl | sh is still the recommended way to install oh-my-zsh

[Dylan16807]

Getting it out of a repository wouldn't make any more vetting appear as if by magic.

And if you're facing an attacker sophisticated enough to send different contents to a browser and to curl, then you're probably not going to find their backdoor in the first place. And it would be stupid of them to depend on that trick, so this becomes an extremely niche case not worth worrying about.

And multiply that sophistication by a hundred times because this is on github servers.

The "what if the file is truncated" issue is the only realistic one, and competent installers like this one define functions and don't run them until the last line.

[tzs]

> Getting it out of a repository wouldn't make any more vetting appear as if by magic.

But it makes it way easier to figure out what happened if you do get attacked.

With "curl | sh" if a compromised site only sends the attack code randomly and I get unlucky I won't have a copy of the attack code afterwards. If I go to the site to grab a copy I'll probably get a copy without the attack code.

With "curl > /tmp/foo.$$; sh < /tmp/foo.$$" if I am unlucky and get the attack code I can at least look at /tmp/foo.$$ to see what happened, and download the code again and see if it is the same.

If you insist on piping, at least do "curl | tee /tmp/foo.$$ | sh".

[vladxyz]

You can also throw in a `-x` at the end there.

[Repulsion9513]

> sophisticated enough to send different contents to a browser and to curl

Checking the Accept header (or User-Agent or a bunch of other things) is very difficult :)

[soraminazuki]

GP likely meant differentiating `curl` and `curl | bash`.

https://web.archive.org/web/20240520142212/https://www.idont...

[Repulsion9513]

Did they? IDK, just differentiating browser from curl is incredibly likely to be "good enough" as an attacker.

[arresin]

I like it because you can replace sh with whatever you want to go over the script

[Repulsion9513]

I mean, the context I was replying to was:

> terminals don't have even a small fraction of browsers' malicious-link-defense mechanisms (as demonstrated). I always want to see the full url in a terminal.

And yeah you're right if you're just piping stuff to bash, malicious URLs are the least of your worries, but that doesn't change the fact that outputting data (that may contain raw control codes) to your terminal is dangerous with or without linkified-URLs.

[lxgr]

Is that realistic?

Sure, text editors and viewers like vim or less can probably filter out terminal escape sequences, but should arbitrary programs printing (potentially user-supplied) strings to stdout have to?

Maybe terminal escape sequence processing should be opt-in (on a by-process/job level) rather than opt-out?

[Repulsion9513]

`| less`