←back to thread

Deno 2.4

(deno.com)
133 points hackandthink | 1 comments | 07 Jul 25 08:44 UTC | HN request time: 1.656s | source
Show context
bflesch ◴[07 Jul 25 10:24 UTC] No.44488699[source]
Big fan of deno, congrats on shipping.

From a security standpoint it really icks me when projects prominently ask their users to do the `curl mywebsite.com/foo.sh | sh` thing. I know risk acceptance is different for many people, but if you download a file before executing it, at least you or your antivirus can check what it actually does.

As supply chain attacks are a significant security risks for a node/deno stack application, the `curl | sh` is a red flag that signals to me that the author of the website prefers convenience over security.

With a curl request directly executed, this can happen:

- the web server behind mywebsite.com/foo.sh provides malware for the first request from your IP, but when you request it again it will show a different, clean file without any code

- MITM attack gives you a different file than others receive

Node/deno applications using the npm ecosystem put a lot of blind trust into npm servers, which are hosted by microsoft, and therefore easily MITM'able by government agencies.

When looking at official docs for deno at https://docs.deno.com/runtime/getting_started/installation/ the second option behind `curl | sh` they're offering is the much more secure `npm install -g deno`. Here at least some file integrity checks and basic malware scanning are done by npm when downloading and installing the package.

Even though deno has excellent programmers working on the main project, the deno.land website might not always be as secure as the main codebase.

Just my two cents, I know it's a slippery slope in terms of security risk but I cannot say that `curl | sh` is good practice.

replies(10): >>44488723 #>>44488744 #>>44488758 #>>44488836 #>>44489041 #>>44489128 #>>44489256 #>>44489488 #>>44489530 #>>44489730 #
methyl ◴[07 Jul 25 10:28 UTC] No.44488723[source]
Has any attack like this been ever seen in the wild? Not saying it's impossible – but I'm just curious if this vector was ever successfully exploited.
replies(1): >>44488785 #
bflesch ◴[07 Jul 25 10:40 UTC] No.44488785[source]
I'm sure there are cases where the website CMS was hacked and then malware served instead of the normal install script. The `curl | sh` approach has been around forever.

And depending on what "interesting" IP address you are coming from, NSA/Microsoft/Apple will MITM your npm install / windows update / ios update accordingly.

Same in the linux ecosystem, if you look at the maintainers of popular distributions, some of them had .ru / .cn email addresses before switching to more official email addressess using the project domain - IMO this change of email addressess happened due to public pressure on russia after the Ukraine invasion. Having access to main package signing keys for a linux distribution, you can provide special packages from your linux package mirror to interesting targets.

All of these scenarios are extremely hard to prove after the fact and the parties involved are not the type of people who do public writeups.

replies(1): >>44488898 #
oblio ◴[07 Jul 25 10:59 UTC] No.44488898[source]
If the website CMS is hacked, they can just swap the installable binary to one's that's hacked, too.
replies(1): >>44489082 #
1. pcl ◴[07 Jul 25 11:21 UTC] No.44489082[source]
That’s why downloading and then executing is preferable — as the GP pointed out, you or your machine’s antivirus can have an opportunity to inspect the file prior to execution, whereas that is not an option when the bytes are streamed directly to the interpreter.