Never blindly pipe into sh

I would be lying if I told you I’ve never blindly copied a line like below, pasted it into my terminal and hit enter without thinking twice.

curl https://get.docker.com/ | sh

This command will fetch the contents of a remote shell script click here to see and then execute it. It’s a common pattern for quickly installing tools without a package manager but it also presents an opportunity for a malicious attacker to run anything on your machine.

What’s the problem?

By simply copying and running the command without first checking the contents of the file you have no idea what the script is doing, pray theres no rm -rf /.

So what can we do?

We can visit the url in our browser first so we can view the script and determine if it’s safe to run or not but there’s a problem with this. The request headers sent to the server when requesting the file via your browser will differ to those sent by curl. An attacker can use this to serve a safe looking script when they detect you are viewing the url in a browser and then send a completely different script back if you’re requesting the same resource via curl.

The simplest safety measure you can take is to never directly pipe the script into your shell. Split the command up so you can verify the contents of the script before executing it.

# Fetch the script and save it to a new file
curl https://get.docker.com/ > install-docker.sh

# Output the script to stdout to inspect it
cat install-docker.sh

# If you are happy, make the script executable and run it
chmod +x install-docker.sh && ./install-docker

The command may also be written slightly different but share the exact same behaviour, for example heres how you might see install instructions for docker, brew and ohmyzsh just to name a few.

curl https://get.docker.com/ | sh
curl https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | sh
curl https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh | sh

sh -c "$(curl -fsSL https://get.docker.com/)"
sh -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

You may also see a couple of other variations that use wget or fetch instead of curl.

Remember, always check the contents of the script before blindly executing it.

Matthew Henley

🖥 Software engineer. React, Elm and Elixir enthusiast 🐣

Tags
Bash