Skip to content

Security: Remote script execution via curl pipe to shell#1404

Open
tuanaiseo wants to merge 1 commit into
ihmily:mainfrom
tuanaiseo:contribai/fix/security/remote-script-execution-via-curl-pipe-to
Open

Security: Remote script execution via curl pipe to shell#1404
tuanaiseo wants to merge 1 commit into
ihmily:mainfrom
tuanaiseo:contribai/fix/security/remote-script-execution-via-curl-pipe-to

Conversation

@tuanaiseo

Copy link
Copy Markdown

Problem

Node.js installation runs remote scripts using curl ... | bash - with shell=True. If the remote endpoint is compromised or intercepted, arbitrary code executes on the host.

Severity: critical
File: src/initializer.py

Solution

Avoid piping remote content directly into a shell. Download pinned installer artifacts over TLS, verify cryptographic checksums/signatures, and execute only trusted local files.

Changes

  • src/initializer.py (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

…to shell

Node.js installation runs remote scripts using `curl ... | bash -` with `shell=True`. If the remote endpoint is compromised or intercepted, arbitrary code executes on the host.

Affected files: initializer.py

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant