Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cht.sh installation: Add checksum validation #339

Open
dotcs opened this issue May 3, 2022 · 1 comment · May be fixed by #340
Open

cht.sh installation: Add checksum validation #339

dotcs opened this issue May 3, 2022 · 1 comment · May be fixed by #340

Comments

@dotcs
Copy link

dotcs commented May 3, 2022
edited
Loading

Installing shell scripts from the internet might be dangerous. The current install instructions ask users to download a shell script and set the executable bit without any file verification (signature check, hashsum verification, etc.).

curl https://cht.sh/:cht.sh > "$PATH_DIR/cht.sh"
chmod +x "$PATH_DIR/cht.sh"

At least a checksum verification should be implemented to make it more difficult for an attacker to temper with the script.

curl https://cht.sh/:cht.sh > "$PATH_DIR/cht.sh"
echo "d3135e42b800ff2e7aac44d4dfe500f0f4e2c7eb00a1c2191b0dc8b28431f155  $PATH_DIR/cht.sh" | sha256sum --check -
chmod +x "$PATH_DIR/cht.sh"

Please note that in case this is implemented, the hash must be updated if the cht.sh script is changed.
I'll add a PR for this that includes the checksum of the current script.

/edit: As mentioned in the link above, the shasum and the source file should live on different servers. So the question is: where is the website currently hosted? Looking up the IP of sheet.sh, it seems the IP is owned by you, @chubin. If GitHub Pages is not used for hosting the website, storing the shasums in a file in the repository would add an additional layer of security since an attacker would need to get access to both, your GitHub account and the server that runs somewhere else.
@dotcs dotcs linked a pull request May 3, 2022 that will close this issue
Open
@dotcs
Copy link
Author

dotcs commented May 3, 2022

If the shasum would be available in a file in the repo, also the self-update method of the script could be validating the downloaded source code, which it currently does not. I think it would be worth considering that.

cheat.sh/share/cht.sh.txt

Lines 728 to 744 in 571377f

cmd_update() {
[ -w "$0" ] || { echo "The script is readonly; please update manually: curl -s ${CHTSH_URL}/:cht.sh | sudo tee $0"; return; }
TMP2=$(mktemp /tmp/cht.sh.XXXXXXXXXXXXX)
curl -s "${CHTSH_URL}"/:cht.sh > "$TMP2"
if ! cmp "$0" "$TMP2" > /dev/null 2>&1; then
if grep -q ^__CHTSH_VERSION= "$TMP2"; then
# section was vaildated by us already
args=(--shell "$section")
cp "$TMP2" "$0" && echo "Updated. Restarting..." && rm "$TMP2" && CHEATSH_RESTART=1 exec "$0" "${args[@]}"
else
echo "Something went wrong. Please update manually"
fi
else
echo "cht.sh is up to date. No update needed"
fi
rm -f "$TMP2" > /dev/null 2>&1
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cht.sh installation: Add checksum validation dotcs/cheat.sh
1 participant
@dotcs