curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • mesa@piefed.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    22 hours ago

    I usually just take a look at the code with a get request. Then if it looks good, then run manually. Most of the time, it’s fine. Sometimes there’s something that would break something on the system.

    I haven’t seen anything explicitly nefarious, but it’s better to be safe than sorry.