zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. ithkui+3j[view] [source] 2018-07-29 09:15:44
>>rubyn0+(OP)
I wish there was a standard way to check a checksum, so that download instructions could just include that in the snippet to copy paste.

I wrote a tool that could be used like that but it's useless if its not ubiquitous (https://github.com/mmikulicic/runck)

◧◩
2. e12e+Gm[view] [source] 2018-07-29 10:54:28
>>ithkui+3j
Since copy-pasting to the terminal is also unsafe[1], it's not really a solution...

At any rate - code-signing doesn't really help if the author is the attacker.

[1] http://thejh.net/misc/website-terminal-copy-paste

◧◩◪
3. ithkui+kq[view] [source] 2018-07-29 11:56:45
>>e12e+Gm
Sure, but that's harder to hide. Any user could paste somewhere where nothing gets executed and the expose the hack attempt. Pipe to bash has the interesting aspect of letting the author inject hacks only to people who are not looking.

Anyway, the use case for my runck utility is scripts such as dockefiles or CI automation where I want to download and run installers and I don't want to reduce the bash boilerplate.

[go to top]