←back to thread

Show HN: Vet – A tool for safely running remote shell scripts

(getvet.sh)
89 points a10r | 6 comments | 28 Jun 25 19:56 UTC | HN request time: 2.278s | source | bottom
1. nodesocket ◴[29 Jun 25 01:09 UTC] No.44409539[source]
This looks great and all, but trying to read and digest a multi hundred line bash script seems unrealistic. Full send pipe into bash.
replies(1): >>44409767 #
2. sgarland ◴[29 Jun 25 01:59 UTC] No.44409767[source]
And this is why this exploit mechanism works so well.

Most installers are doing the same basic patterns: checking for dependencies, checking the distro, etc. It’s not hard to figure these out and spot them in different scripts.

replies(1): >>44410576 #
3. treve ◴[29 Jun 25 05:29 UTC] No.44410576[source]
Does it work really well? Any major examples?
replies(1): >>44412992 #
4. sgarland ◴[29 Jun 25 13:30 UTC] No.44412992{3}[source]
OK, fair-ish point. You won’t find major examples, because it’s not a CVE if you willingly download and execute malicious code. I hope you can understand the theoretical (but very real) risks of doing this, though.

For me personally, I try to use a distro/platform specific package if it exists, since hopefully that means at least one human has read through some of the code, and probably installed it. If that’s not available, I do download the script to review before executing it (and not re-downloading it to pipe to a shell). I’m sure I wouldn’t catch everything, but I would probably catch odd embedded curl calls and the like.

replies(2): >>44413542 #>>44447506 #
5. arp242 ◴[29 Jun 25 14:40 UTC] No.44413542{4}[source]
As far as I know there are zero examples, CVE or not. I have asked several times over the years and thus no one has been able to provide an example. It just doesn't happen because it just doesn't make much sense.

As I already said years ago[1], if you want to hide some nefarious stuff then you'd do it in something like autoconf soup, or something like that. The install.sh is just too obvious of a place. And this is exactly what happened in the real-world xz attack. I can guarantee you very few, if any, packagers are auditing all of that. And even if they did: it's just so easy to miss.

[1]: https://www.arp242.net/curl-to-sh.html

6. treve ◴[02 Jul 25 18:59 UTC] No.44447506{4}[source]
It wasn't meant as a gotcha. I'm actually curious if this went wrong, and if it was more of a spear-fishing style attack or a vulnerability hitting multiple people.

Tons of devs download thousands of NPM packages as well, and each can execute code upon install, so a single curl-to-shell pipe from a HTTPS endpoint from a domain you checked always felt way safer than any `npm install`, and so a pretty minor in comparison and yet it gets a lot more attention than package manager, which _feels_ like security cargo culting. Plenty of supply chain attacks in package managers of course. But yeah, would like to be corrected if that intuition is wrong.