Curling Directly into Bash is Insecure

[Snuggle]

Description

The tutorial, https://docs.chef.io/install_omnibus.html, shows an incredibly insecure way of creating an installer, due to a timing difference between curling into a file/stdout vs curling directly into bash. This timing difference can allow the server to send different payloads for each and evade detection from anyone who wants to simply "check the file" before it gets executed.

Gif of exploit - Note different payloads depending on if it is output to bash or stdout:

Please read the following article to see how this exploit works: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

This is exacerbated by the fact you're executing a file, which you cannot be completely sure is safe, with sudo permissions!

How can this be fixed?

Please, please, please curl into a file before you execute. Otherwise you cannot be certain of what is being executed. The connection could drop half-way and it would still be executed, with sudo permissions. Bash doesn't care what it's executing, bash doesn't know if it's malicious.

A simpler example, imagine if your script uses rm -rf /home/user/stuff anywhere in the file. A connection drop-out or a man-in-the-middle could drop the connection at rm -rf /, which would be executed with sudo permission and wipe your machine.

Curling directly into bash is insecure. Please don't do it, ever.

The following commands would be more secure as the user can actually verify the contents and there isn't the potential for a different payload to be sent, based on the timing exploit above. curl -Lo install.sh https://omnitruck.chef.io/install.sh; bash install.sh wget https://omnitruck.chef.io/install.sh; bash install.sh