The Life of Brian Corbin

Search

SearchSearch

Musings, Stop blindly running internet curl installation scripts!

Dec 01, 20244 min read

This is basically a note to self.

If you’ve ever downloaded a tool from the internet then you’ve probably run curl or some other equivalent to grab it. It always strikes me as a little wild to just blindly trust internet scripts without at least reading through it for a dodginess check.

I was thinking about this as I was installing Nix on a new system. So I thought, let me run it through an LLM because like terms and conditions and privacy policies, who has time to read all that? After all, that’s what they’re good at (along with stealing our jobs, our art, and general livelihoods).

Comic about not reading the terms and conditions from @System32Comics

For example, I ran the script through my LLM command:

bat nix-installer.sh | llm "Check this script for any security issues and list potential CVEs

Which gave the following semi-useful output:

NOTE

The provided shell script is designed to download and install a Nix installer, handling various steps such as platform detection and appropriate downloading methods. Here are some considerations for identifying potential security issues and relevant CVEs:

Potential Security Issues

  1. Downloading Executables Without Verification

    • The script downloads an executable without any cryptographic verification (e.g., checksums, signatures). This could allow an attacker to compromise the downloaded binary.

    Mitigation: Implement checks for integrity (e.g., SHA256 checksum or GPG signature verification).

  2. Using HTTP Instead of HTTPS

    • The code suggests that if NIX_INSTALLER_FORCE_ALLOW_HTTP is set, it could allow downloading via HTTP, which is insecure and can lead to man-in-the-middle (MITM) attacks.

    Mitigation: Always enforce HTTPS and avoid allowing the use of HTTP.

  3. Error Handling with Output

    • The script captures and prints errors during download attempts. If sensitive information is included in the error messages, this could lead to information leakage.

    Mitigation: Review error messages to ensure no sensitive information is disclosed.

  4. Insufficient Command Checking

    • The need_cmd function checks for required commands and can potentially fail silently without proper feedback in case of a missing command.

    Mitigation: Consider more robust error handling or logging for clarity.

  5. Environment Variable Handling

    • The use of environment variables (e.g., NIX_INSTALLER_NO_CONFIRM, NIX_INSTALLER_FORCE_ALLOW_HTTP) may introduce security risks if they are set unexpectedly in the environment before running the script.

    Mitigation: Validate and sanitize inputs or provide a static/default configuration.

  6. Permissions Issues

    • The script does not include checks or precautions about file permissions that could expose downloaded executables.

    Mitigation: Review and set strict permissions when creating temporary files or downloaded executables.

Identifying CVEs

The script itself does not directly correspond to any specific CVE; however, vulnerabilities can relate to the libraries and commands used in the script. Here are general categories:

  1. CURL and WGET: Vulnerabilities in these downloading utilities can lead to insecure download practices.

    • CVEs like CVE-2021-22946 (CURL) highlight security issues related to insecure downloads.

  2. Shell Injection Vulnerabilities: If arguments to commands are not sanitized properly, they may be vulnerable to command injection, potentially leading to CVEs associated with improper command execution.

  3. Filesystem Permissions: Vulnerabilities associated with improper permissions can also arise from storing sensitive information or executing binaries with improper privileges.

  4. OS and Platform-Specific Vulnerabilities: Depending on platform-specific utilities called within the script (e.g., uname, chmod, etc.), there may be underlying system vulnerabilities.

Recommendations

  1. Implement Integrity Checks: Introduce measures such as checksum verification for downloaded files.
  2. Always Use HTTPS: EnforceHTTPS-only connections to prevent MITM attacks.
  3. Robust Error Handling: Provide clear error messages and log details securely without leaking sensitive information.
  4. Code Review and Static Analysis: Conduct thorough code reviews and employ static analysis tools to identify potential vulnerabilities.
  5. Regular Vulnerability Scanning: Use tools to scan for known vulnerabilities in the libraries and utilities involved, and ensure they are kept updated.

By addressing these areas, the overall security posture of the script can be improved.

Maybe I’ll make it into a tool or AI agent wrapping curl…

…Just musing

Graph View

Backlinks

  • No backlinks found