curl | bad

curl | bad

NOTE: the image for this blog post is because we are talking about something in the...shell... 😁️

I know that doing curl and directly pipe'ing into bash is considered a bad practice for security, and people discourage it.

When it comes to automation though, sometimes there is no way to get around people doing it. So here are a few practical things to do if you are going to do that.

  1. Do a curl -fsSLI on the url. This will show you the headers of where you would be going without actually navigating you to the contents of the file yet. You can checkout more about the above command here: https://explainshell.com/explain?cmd=curl+-fsSLI

  2. do a curl -fsSL 'https://url' | $EDITOR - , so you can inspect the contents of what the script is doing to your device. This is EXTREMELY important, because once you curl to bash there is no going back...

  3. If you want to, to make sure it doesn’t do anything bad, do it inside a VM (Virtual Machine) or container. If you use vagrant or docker spinning up a VM is only a few more seconds to a minute that could prevent someone messing up your machine.

    • for docker you can do this command, so you get the official container that has curl
    docker container run --rm --cap-drop all -it curlimages/curl /bin/sh
    
  4. This one is a bash trick, so I learned from making packer template and observing the bento project (https://github.com/chef/bento/) one of the flags they use is the -x option for sh. While it might not be apparent when thinking about moving from scripting to regular cli, you can specify that flag during run time of a script to do “debug” mode and bash supports it too

    • I couldn’t find a good place to reference bash’s man page (excpet on my linux machine), but there are two ways to look at it if you are on a linux machine
      • if you are running bash do help set and you should get all the necessary information
      • if you aren't running bash do man bash you should be able to see

        All of the single-character shell options documented in the description of the set builtin command

    and https://explainshell.com/explain?cmd=set+-x is an explanation of that option.

So, an example for running one of my scripts from a blog post (https://blog.elreydetoda.sitehttps://blog.elreydetoda.sitehttps://blog.elreydetoda.sitehttp://localhost:8080http://localhost:8080/lost-without-routing-sense/) is as follows:

curl -fsSL 'https://git.io/JtVB6' | bash -xs '24' '192.168.22.0' '10.0.0.1'
  1. Lastly make sure that the scripts you are pipe'ing to bash are by a trusted authority or some one you can trust to take proper security precautions. A great example is installing docker: https://docs.docker.com/engine/install/debian/#install-using-the-convenience-script